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Abstract. Appel and McAUester's "step-indexed" logical relations have proven to be a 
simple and effective technique for reasoning about programs in languages with semanti- 
cally interesting types, such as general recursive types and general reference types. How- 
ever, proofs using step-indexed models typically involve tedious, error-prone, and proof- 
obscuring step-index arithmetic, so it is important to develop clean, high-level, equational 
proof principles that avoid mention of step indices. 

In this paper, we show how to reason about binary step-indexed logical relations in 
an abstract and elegant way. Specifically, we define a logic LSLR, which is inspired by 
Plotkin and Abadi's logic for parametricity, but also supports recursively defined relations 
by means of the modal "later" operator from Appel, Mellies, Richards, and Vouillon's 
"very modal model" paper. We encode in LSLR a logical relation for reasoning relationally 
about programs in call-by-value System F extended with general recursive types. Using 
this logical relation, we derive a set of useful rules with which we can prove contextual 
equivalence and approximation results without counting steps. 



Appel and McAllester [S] invented the step-indexed model in order to express "semantic" 
proofs of type safety for use in foundational proof-carrying code. The basic idea is to 
characterize type inhabitation as a predicate indexed by the number of steps of computation 
left before "the clock" runs out. If a term e belongs to a type r for any number of steps 
{i.e., for an arbitrarily wound-up clock), then it is truly semantically an inhabitant of r. 

The step-indexed characterization of type inhabitation has the benefit that it can be 
defined inductively on the step index k. This is especially useful when modeling semantically 
troublesome features like recursive and mutable reference types, whose inhabitants would be 
otherwise difficult to define inductively on the type structure. Moreover, the step-indexed 
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model's reliance on very simple mathematical constructions makes it particularly convenient 
for use in foundational type-theoretic proofs, in which all mathematical machinery must be 
mechanized. 

In subsequent work, Ahmed and coworkers have shown that the step-indexed model 
can also be used for relational reasoning about programs in languages with semantically 
interesting types, such as general recursive types and general reference types [H [3l O |2l] . 

However, a continual annoyance in working with step-indexed logical relations, as well 
as a stumbling block to their general acceptance, is the tedious, error-prone, and proof- 
obscuring reasoning about step indices that seems superficially to be an essential element 
of the method. To give a firsthand example: the first two authors (together with Andreas 
Rossberg) recently developed a step-indexed technique for proving representation indepen- 
dence of "generative" ADTs, i.e., ADTs that employ, in an interdependent fashion, both 
local state and existential type abstraction [5j. While the technique proved useful on a va- 
riety of examples, we found that our proofs using it tended to be cluttered with step-index 
arithmetic, to the point that their main substance was obscured. Thus, it seems clear that 
widespread acceptance of step-indexed logical relations will hinge on the development of 
abstract proof principles for reasoning about them. 

The key difficulty in developing such abstract proof principles is that, in order to reason 
about things being infinitely logically related, i.e., belonging to a step-indexed logical rela- 
tion at all step levels — which is what one ultimately cares about — one must reason about 
their presence in the logical relation at any particular step index, and this forces one into 
finite, step-specific reasoning. 

To see a concrete example of this, consider Ahmed's step-indexed logical relation for 
proving equivalence of programs written in an extension of System F with recursive types [4] . 
One might expect to have a step-free proof principle for establishing that two function values 
are infinitely logically related, along the lines of: Axi.ei and Xx2-e2 are infinitely logically 
related at the type o" — )• r iff, whenever vi and V2 are infinitely related at a, it is the case 
that ei[t;i/3;i] and e2[v2/x2] are infinitely related at r. Instead, in Ahmed's model we have 
that Axi.ei and Xx2-e2 are infinitely related at a — ?> r iff for all n > 0, whenever vi and V2 
are related at a for n steps, ei[fi/xi] and e2[v2/x2] are related at r for n steps. That is, the 
latter is a stronger property — if Xxi.ei and Xx2.e2 map n-related arguments to n-related 
results (for any n), then they also map infinitely-related arguments to infinitely-related 
results, but the converse is not necessarily true. Thus, in proving infinite properties of the 
step-indexed model, it seems necessary to reason about an arbitrary finite index n. 

In this paper, we show how to alleviate this problem by reasoning inside a logic we call 
LSLR. Our approach involves a novel synthesis of ideas from two well-known pieces of prior 
work: (1) Plotkin and Abadi's logic for relational reasoning about parametric polymorphism 
(hereafter, PAL) |3D], and (2) Appel, Mellies, Richards, and Vouillon's "very modal model" 
paper (hereafter, AMRV) [7]. 

PAL is a second-order intuitionistic logic extended with axioms for equational reasoning 
about relational parametricity in pure System F. Plotkin and Abadi show how to define a 
logical relation interpretation of System F types in terms of the basic constructs of their 
logic. Second-order quantification over abstract relation variables is important in defining 
the relational interpretation of polymorphic types. 

In this paper, we adapt the basic apparatus of PAL toward a new purpose: reasoning 
operationally about contextual equivalence and approximation in a call-by-value language 
F'^ with recursive and polymorphic types. We will show how to encode in our logic LSLR a 
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logical relation that is sound and complete with respect to contextual approximation, based 
on a step-indexed relation previously published by Ahmed [1]. Compared with Ahmed's 
relation, ours is more abstract: proofs using it do not require any step-index arithmetic. 
Furthermore, whereas Ahmed's relation is fundamentally asymmetric, our logic enables the 
derivation of both equational and inequational reasoning principles. 

In order to adapt PAL in this way, we need in particular the ability to (1) reason 
about call-by-value and (2) logically interpret recursive types of F^. To address (1), we 
employ atomic predicates (and first-order axioms) related to CBV reduction instead of 
PAL's equational predicates and axioms. This approach is similar to earlier logics of partial 
terms for call- by- value calculi with simple [28] and recursive (but not universal) types [2|. 

For handling recursive types, it suffices to have some way of defining recursive relations 
fir.R in the logic. This can be done when R is suitably "contractive" in r; to express con- 
tractiveness, we borrow the "later" >P operator from AMRV, which they in turn borrowed 
from Godel-Lob logic [23]. Hence, LSLR is in fact not only a second-order logic (like PAL) 
but a modal one, and the truth value of a proposition is the set of worlds (think: step levels) 
at which it holds. The key reasoning principle concerning the later operator is the Lob rule, 
which states that {t>P =^ P) P. This can be viewed as a principle of induction on step 
levels, but we shall see that, when it is employed in connection with logical relations, it 
also has a coinductive flavor reminiscent of the reasoning principles used in bisimulation 
methods like Sumii and Pierce's [M] . 

1.1. Overview. In Section [21 we present our language under consideration, F'^. 

In Section [Sj we present our logic LSLR described above. We give a Kripke model of 
LSLR with worlds being natural numbers, and "future worlds" being smaller numbers, so 
that semantic truth values are downward-closed sets of natural numbers. We also present 
a set of basic axioms that are sound with respect to this model, and which are useful in 
deriving more complex rules later in the paper. 

In Section [U we define a logical relation interpretation of F'^ types directly in terms 
of the syntactic relations of LSLR. Then we derive a set of useful rules for establishing 
properties about the logical relation. Using these rules, it is easy to show that the logical 
relation is sound and complete w.r.t. contextual approximation. We also show in this section 
how to define a symmetric version of the logical relation, which enables direct equational 
reasoning about F'^ programs. 

In Section [5l we give examples of contextual equivalence proofs that employ purely 
logical reasoning using the derivable rules from Section [5] (in particular, without any kind 
of step-index arithmetic). 

In Section [6l we demonstrate how our LSLR proofs improve on previous step-indexed 
proofs by comparing our proof for one of the examples from Section [5] to a proof of that 
example in the style of Ahmed |[4J. 

In Section \7\ we explain how the present version of LSLR improves on (and corrects a 
technical flaw in) the version we published previously in LICS 2009 [14j . 

Finally, in Section [HI we discuss related work and conclude. 

2. The Language F'^ 

We consider F'^, a call- by- value A-calculus with impredicative polymorphism and iso-recur- 
sive types. The syntax of F^ is shown in Figure [TJ Sum and recursive type injections are 
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Types T ::= a \ unit | int | bool | ti x T2 | ti + T2 | n — ^ T2 | 

Va. T I 3a. T I fia. r 

Prim Ops o ::= +| — | = |<|<|--- 

Terms e ::= x \ {) \ ±n \ o(ei,...,e„) | 

true I false | if e then ei else 62 | 
(ei, 62) I f St e I snd e 

inl,- e I liLTr e \ case e of inl xi^ei \ inr X2 62 | 
Xx :T.e I ei 62 | Aa. e | e t | 
packr, e as 3a. r' | unpack ei as a, a; in 62 | 
toIIt- e I unroll e 

Values u ::= 2^ | (} | | true | false | {vi,V2) | inl^ u | inr^- w | 
Xx'.T.e I Aa.e \ packri, u as 3a. r | rollT- u 

Figure 1: F'^ Syntax 

Eval. Contexts E ::= [•] | o(wi, . . . , e^+i, . . . , e„) 

if ii' then ei else 62 | (£',62} | {vi,E) \ fstE \ sndE 
±nlr E I inr,- E \ case E' of inl xi^ei \ inr X2 ^ 62 | 
Ee\vE\ET \ packTi, E' as 3a. r | unpack E as a, a; in 62 | 
roll^E I unroll E 

6^6' 

if true then 61 else 62 ^ 61 
if false then6i else62 ^ 62 

f St {vi, V2) Vl 

snd {vi, V2) W2 

case (inl^ v) of inl =>6i | inr 2:2 =>62 6i[t'/a;i] 

case (inr,- v) of inl a;i =>6i | inr X2 =>62 62[w/a:2] 

{Xx ■.T.e)v-^ e[v/x] 

(Aa. e) T 6[T/a] 

unpack (packr, v as 3a. ti) as a, a: in e e[v/x] [r/a] 

unroll (rolli- v) v 

e ^ e' 
E[e] E[e] 

Figure 2: Dynamic Semantics 

type-annotated to ensure unique typing, but we will often omit the annotations when they 
are obvious from context. Figure [2] shows the left-to-right call-by- value dynamic semantics 
for the language, defined as a small-step relation on terms (written e e'), which employs 
evaluation contexts E in the standard way. Note that the reduction relation is deterministic. 

F'^ typing judgments have the form F h e : r, where the context F binds type variables 
a, as well as term variables x: F ::= ■ \T,a \T,x : t. The typing rules are also standard 
and are given in full in Appendix |A] (Figure [TOj). 

2.1. Contextual Approximation and Equivalence. A context C is a term with a single 
hole [•] in it. The typing judgment for contexts has the form h C : (F h r) (F' h r'). 
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Relation Variables 
Variable Contexts 
Variable Substitutions 
Relation Contexts 
Relation Substitutions 
Proposition Contexts 
Combined Contexts 
Atomic Relations 
Relations 



A,B 

p, g, i?, s 



7 

7^ 

r 
c 



X 



r 



e 



• I 7, a I— T I 7, a; I— ^ e 

• I 7^,r 

• I ip,r R 
■\V,P 
X:n;V 

ei = 62 I • • • 

r\A\T\± I PAQ I PVQ | P^Q | 
V-Y.P I BAf.P I V7^.P I 37e.P I 
x.P \ee R \ iir.R \ >P 



i?e/Var 

■ \ X ,a \ X ,x 



Figure 3: Syntax of Core LSLR 



where (F h r) indicates the type of the hole. This judgment essentially says that if e is a 
term such that F h e : r, then F' h C[e] : r'. Its formal definition appears in Appendix lAl 
(Figures [TT] and [T2]l. 

We define contextual approximation (F h ei :<^^^ '■ t) to mean that, for any well-typed 
program context C with a hole of the type of e\ and 62, the termination of C[ei] (written 
C[ei] -IJ-) implies the termination of C\e2\. Contextual equivalence (F h ei fa"^*^ 62 : r) is 
then defined as approximation in both directions. 



Definition 2.1 (Contextual Approximation & Equivalence). Let F h ei : r and F h 62 : t. 

F h ei 62 : r =f VC, r'. (h C : (F h r) ^ (• h r') A C[ei] ^) ^ ^[62] ^ 
F h ei w^*^ 62 : r =^ r h ei ^"^^^ 62 : r A F h 62 ei : r 



3. The Logic LSLR 

LSLR is a second-order intuitionistic modal logic supporting a primitive notion of term 
relations, as well as the ability to define such relations recursively. 

3.1. Syntax. The core syntax of LSLR is given in Figure [3l 

F'^ variable contexts X are similar to F'^ contexts F, except that they omit type anno- 
tations on term variables. Instead, well-typedness of variables is modeled through explicit 
typing hypotheses in the proposition context V (see below). F'^ variable substitutions 7 
map variables bound in F^ variable contexts to objects of the appropriate syntactic class. 

As a matter of notation, we will use y and t as term variables in addition to x. Often, 
we write x or y to denote values, whereas t stands for arbitrary terms. (This is merely a 
mnemonic, however. The fact that x or y is a value will always be guaranteed by some 
separate, explicit assumption.) 

Relation contexts Tt bind relation variables r, which stand for relations of arbitrary 
arity between F'^ terms. For ease of notation, we assume that relation variables r come 
equipped implicitly with a particular arity (namely, arity (r)). Relation substitutions 93 
map relation variables to relations R of the appropriate arity, which we describe below. 
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Proposition contexts V are sets of propositions^ which are just nuhary relations that we 
typically denote using P and Q. (Note: We treat all three kinds of contexts as unordered 
sets, and use comma to denote disjoint union of such sets.) 

We write C to denote a combined context X; TZ; V. Correspondingly, we also define 
C, X' to mean X ^ X'; TZ; V (and similarly for C, TZ' and C, V'). 

Relations R (of which propositions P are a subset) fall into several categories: variable 
relations (r), atomic relations {A), first-order propositions (T, PaQ,PVQ,P^Q, 
yX.P, 3X.P), second-order propositions {\/TZ.P, 3TZ.P), relation introduction and elimina- 
tion {x.P, e € R), recursive relations (fir.R), and the later modality {^P) borrowed from 
AMRV [7]. 

Atomic propositions A and the axioms concerning them are essentially orthogonal to 
the other components of the logic. We have listed in Figure [3] one particularly central atomic 
proposition, ei = 62, which says that ei and 62 are syntactically equal modulo renaming of 
bound variables. In Section [4.21 we will introduce several other atomic propositions related 
to the reduction semantics of F'^. The only common requirement we impose on all of these 
atomic propositions is that they are first-order, in the sense that they only depend on type 
and term variables, not relation variables. 

The first-order connectives are self-explanatory. The second-order ones provide the 
ability to abstract over a relation, which is critical in defining logical relations for polymor- 
phic and existential types. As for the relational introduction and elimination forms: x.P, 
which we sometimes write as (x)-P, introduces the term relation that one would write in 
set notation as {{x) \ P}, and e € R says that the tuple of terms (e) belong to the relation 
R. In general, we use the overbar notation to denote a possibly nullary tuple of objects. 

A recursive relation ^r.R denotes the relation R that may refer to itself recursively 
via the variable r. In order to ensure that such relations are well-founded, we require 
that R be contractive in r, a notion that we make precise (following AMRV) using the 
modal i> operator. Specifically, we define R to be contractive in r if r may only appear in 
R underneath the > operator (i.e., inside propositions of the form >P). Intuitively (and 
formally), >P means that P is true in all strictly future worlds of the current one. As a 
result, the meaning of fj,r.R only depends recursively on its own meaning in strictly future 
worlds. Thus, assuming that the "strictly future world" ordering is well-founded, we can 
define the meaning of fir.R by induction on strictly future worlds. 

3.2. A "Step-Indexed" Model of LSLR. Figure H defines a Kripke model for LSLR, 
where the worlds are natural numbers and m is a strictly future world of n if m < n. The 
model enjoys monotonicity, meaning that if a proposition is true in world n, it is true in all 
strictly future worlds as well. Thus, the set of semantic truth values is the complete Heyting 
algebra 7-'~^(N) of downward-closed subsets of N, ordered by inclusion (or, isomorphically, 
the complete Heyting algebra w of vertical natural numbers with infinity). 

We interpret relations and proposition contexts under some semantic interpretation 
6, which maps their free relation variables to semantic {i.e., world-indexed, monotone) 
relations of the appropriate arity. We write [[i2]]5ne (resp. [Ppn) to mean that, under 
interpretation 6, e & R (resp. V) is true in world n. The interpretations refer to {X} and 
pZ}. The semantic interpretation of a variable context, IX J, is the set of closing variable 
substitutions 7 whose domains equal X. The semantic interpretation of a relation context, 
pZ}, is the set of semantic relation substitutions 6 whose domains equal TZ. 
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If n 



0, then: 



dcf 



iRlSne 



dcf 



T 



T 



If n > 0, then: 



dcf 



|rj|(5ne 



Srne 



lA\\one 


dcf 


Ti A 

±[A)e 




dcf 


-r 




dcf 


L 


lP^Q\5n 


dcf 


lP\5nAlQ\5n 


iPVQPn 


dcf 




IP Q\5n 


dcf 


Vfc < n. {PlSk ^ IQlSk 


l^X.P\5n 


dcf 


V7 e IX\ . tPjSn 


13X. P\5n 


dcf 


37 e m ■ bP¥n 


\in.P\5n 


dcf 


wem - ipms')n 


l3n.P\5n 


dcf 


BS'em. lPm6')n 


[S.P](5ne 


dcf 


lP[e/x]¥n 


|e G R\5n 


dcf 


iRjSne 


\^r.R\5ne 


dcf 


lR[fir.R/r]lSne 


l>P\5n 


dcf 


mSin - 1) 


lV\5n 


dcf 





Figure 4: Kripke "Step-Indexed" Model of LSLR 



The interpretations in Figure H] are defined by a double induction, first on the world n 
(in world 0, everything is true), and second on the "size" of the relation being interpreted. 
The size of a relation is defined to equal the number of logical/relational connectives in it, 
ignoring all connectives appearing inside a proposition of the form \>P {i.e., \>P has constant 
size, no matter what P is). This size metric makes it possible to interpret a recursive relation 
^r.R directly in terms of its expansion R[iJir.R/r\. Assuming the relation is well-formed, this 
interpretation is well-defined because the expansion has a smaller size. (Specifically, since 
R is contractive in r, we know that r may only appear inside constant-size propositions in 
i?, SO the size of R[^r.R/r\ equals the size of i2, which is smaller than the size of fir.R.) 

Since >P may have smaller size than P, it is critical that the interpretation of >P in 
world n be defined in terms of the interpretation of P in strictly future worlds {i.e., worlds 
strictly less than n). Fortunately, this is no problem since, as explained above, \>P means 
precisely that P is true in all strictly future worlds. Thanks to the built-in monotonicity 
restriction, it suffices to say that >P is true in world n iff P is true in world n — 1. 

Otherwise, the interpretation is mostly standard. One point of note is the interpretation 
of implication P =^ Q, which quantifies over all future worlds in order to ensure monotonic- 
ity. Another is the interpretation of atomic relations A. We assume an interpretation 
function I, which maps closed atomic relations A to absolute {i.e., world-independent) 
relations. As one instance, we define X{ei = 62) to be true (T) iff ei is a-equivalent to 62. 

Using this model, we can define our main logical judgment, ^Y; 7^; P h P. Assuming that 
V and P are well- formed in Af; 7^ (see Appendix |B] for the definition of proposition/relation 
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(mono) — - — — (lob) 



Ch>P ^ ' P 

Ch>(FAQ) Ch>{PVQ) C^>{P^Q) 

Ch>PA>Q ^^^^ C h t>P V >g C h >P ^ oQ ^■'^^^ 

ChV^^^^l) Chl^(^^l) ChWrp(^^2) ^ri^(>32) 

C h ei = e2 C h P[ei/a:] ^ ^ ^ C h Pi = P2 C h P[Pi/r] ^ 

C h P[e,/.] (i^EPLACEl) c h P[P2/r] (i^-PLACE2) 

C h e £ x.P , , C h e £ A^r.P 

, = (ELEM) , ., ELEM-/i) 

Figure 5: Core Inference Rules of LSLR 



well-formedness), the judgment is interpreted as follows: 

X;TZ;Vh P =^ Vn > 0. V7 € fXj . V5 € pZ} . bVjSn bPjSn 

Note that we interpret the judgment directly as a statement in the model, rather than 
inductively defining it via a set of inference rules. This allows us to prove new inference 
rules sound whenever needed. In the next section, however, we will establish a core set 
of sound inference rules that will enable us to reason about the judgment (in most cases) 
without having to appeal directly to the model. 

The judgment asserts that under any closing substitution 7 for X and any semantic 
interpretation 6 for TZ, and in any world n, the hypotheses V imply the conclusion P. The 
key here is that, while n is universally quantified and thus not explicitly mentioned in the 
logical judgment, the hypotheses V and the conclusion P are both interpreted in the same 
world {i.e., step level) n. This is what allows us to prove something like "/i and /2 map 
n-related arguments to n-related results" (as discussed in the introduction) without having 
to talk about a specific step level n. 

Finally, it is worth noting that, while the Kripke model we have defined here may be 
viewed as a "step-indexed" model, nothing in the model mentions steps of computation. We 
happen to be using natural numbers as our worlds, but there is no computational meaning 
attached to them at this point. The connection between worlds and (certain) steps of 
computation will be made later on, when we define the logical relation for F'^ in Section 21 



3.3. Core Inference Rules. We now present the core inference rules of LSLR, all of 
which are easy to prove sound directly in the model. The most interesting ones are shown 
in Figure El the remainder, all of which are standard rules for second-order intuitionistic 
logic, appear in Appendix iBl 

Rule MONO is the axiom of monotonicity, stating that propositions that are true now 
(in the current world) are also true later (in future worlds). The LOB rule, adapted from 
AMRV, provides a clean induction principle over future worlds. If under the assumption 
that A is true later (in all strictly future worlds) we can prove that it is true in the current 
world, then by induction A is true in the current world. The induction argument requires 
no base case because all propositions are assumed true in the final world {i.e., world 0). 
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The remainder of the rules concerning the later operator state that the later operator 
distributes over all propositional connectives. Not all these distributivity laws are valid in 
classical G6dcl-L6b logic or AMRV, but they hold here due to our axiom of monotonicity. 

For example, wc give here the proof of Rule t>=^>: 

Proposition 3.1. Rule l>=^ is admissible. 

Proof. First, the forwards direction. Suppose 1>{P ^ and |>P]](5r7.. Wc want to show 

|>(5|(5n. If n = 0, the proof is trivial, so assume n > 0. By the interpretation of >, we know 
|P ^ QjS{n - 1) and |P]5(n - 1). Thus, by the interpretation of we know |(5]](5(n - 1), 
which is equivalent to our goal. 

Next, the backwards direction. Suppose |i>P >Q}dn; we want to show 1>{P =^ Q)}5n. 
If n = 0, the proof is trivial, so assume n > 0. Our goal is equivalent to |P =^ Qi^in — 1), 
so suppose k < n — 1 and jPjJ/c, and we will prove [QJ^fc. By the interpretation of >, we 
know [[i>P]](5(/c + 1). Since A: + 1 < n, by the interpretation of ^ we obtain |>(515(fc + 1), 
which is equivalent to [QM^; our desired goal. 

Note that the backwards direction relies critically on monotonicity. In the absence of 
monotonicity, the premise [>P =^ [>Q]]5n is only applicable if |P](5A; for all k < n, but in 
the proof we only assume [PJ^A; for some k < n. □ 

The replacement axioms (replace 1 and replace2) say that we can substitute equals 
for equals inside a proposition without affecting its meaning. For terms, equality is just 
syntactic equality. For relations, equivalence is definable as 

Hpf 

Pi = R2 = Vx. {x e Ri e R2) A {x e R2^x e Pi) 

The last two rules concern inhabitation of relations. The key interesting point here is 
that recursive relations are equivalent to their expansions. 

Lastly, when we introduce atomic propositions in the next section related to F^^ re- 
duction, we will want to also import into LSLR various first-order theorems about those 
propositions, e.g., preservation, progress, canonical forms, etc. Fortunately, this can be 
done easily, without requiring any stepwise reasoning. 

Formally, assuming P is a first-order proposition (i.e., it does not involve relation 
variables, recursive relations, second-order quantification, or the > operator), then it is easy 
to show that P is true in all worlds n iff it is true in world 1 (the "latest" nontrivial world) . 
Consequently, the following rule is sound: 

x-n-v h p 

Thus, in particular, if P is closed: 

h P 

For first-order P, the interpretation of |P| 1 in our model is tantamount to the standard 
step-free interpretation of P in first-order logic. 

In other words, our goal here is not to use LSLR to formalize entire proofs, just the 
parts of the proofs that involve interesting relational reasoning. We are happy to make use 
of first-order syntactic properties proved by other means in the meta-logic. 
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4. A Syntactic Locical Relation for F'^ 

In this section, we show how to define a logical relation for that coincides with contex- 
tual approximation, as well as a symmetric version thereof that coincides with contextual 
equivalence. The relation is defined syntactically within the logic LSLR, using a particular 
set of atomic propositions concerning the F'^ reduction semantics, as we explain below. 

4.1. Roadmap and Preliminaries. Eventually, we are going to define a logical relation 
on open terms, which we denote F h ei ^'"^ 62 : r, and prove that it is sound and complete 
w.r.t. contextual approximation, F h ei :<^*^ 62 : r, as defined in Section [2l In order to 
prove this, we will follow Pitts [26] in employing an intermediate form of approximation, 
often referred to as ciu approximation. 

Ciu approximation, due to Mason and Talcott [21], is a superficially coarser version 
of contextual approximation in which (1) attention is restricted to evaluation contexts E 
instead of arbitrary program contexts, and (2) the "closing" of open terms is handled by an 
explicit substitution 7 instead of relying on A-abstractions in a closing context C. We say 
that ciu approximation is only superficially coarser because ultimately we will prove that 
it too coincides with contextual approximation. In the meantime, ciu approximation turns 
out to be an easier notion of approximation to work with. 

First, a bit of notation: we will write h 7 : F to mean that (1) dom(7) = dom(F), (2) 
Va G F. FV(7a) = 0, and (3) Vx : r G F. 3v. jx = v A \- v : 'jt. We will also write 
\- E : T t' to mean h : (• h r) (• h r'), thus defining the typing of evaluation 
contexts in terms of the typing judgment for general contexts C (introduced in Section [2. ip . 

Definition 4.1 (Ciu Approximation for Closed Terms). Let • h ei : r and ■ h 62 : r. 

h ei 62 : T =f V^, r'. {h E : t t' A E[ei] ^) E[e2] ^ 
Definition 4.2 (Ciu Approximation for Open Terms). Let F h ei : r and F h 62 : t. 

F h ei ^'^^ 62 : T V7. h 7 : F ^ h 761 762 : JT 
Definition 4.3 (Ciu Equivalence). Let F h ei : r and F h 62 : t. 

F h ei 62 : T =^ F h ei 62 : r A F h 62 ei : r 

One of the main reasons to use ciu approximation instead of contextual approximation is 
that it is immediately obvious that the F^ reduction relation is contained in ciu equivalence 
(part (3) of the following proposition). 

Proposition 4.4 (Useful Properties of Ciu Approximation). 

(1) //F h e : T, then F h e e : r. 

(2) //F h ei 62 : T an(i F h 62 ^""^ 63 : r, then F h ei 63 : r. 

(3) //F h ei : r and ei -v^* 62, then F h ei R^"" 62 : r. 

(4) //h ei 62 ■■ T andh E : T t', then h E[ei] E[e2] : r'. 

Again following Pitts [26], we will show that contextual, ciu, and logical approximation all 
coincide by showing that ^ C ^ ^ ^ '"^ ^ ^ . The first link of that chain is easy. 

Theorem 4.5 (Contextual Approximation =^ Ciu Approximation). 
//F h ei ^'^'^ 62 : T, then F h ei 62 : r. 
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Proof. Suppose \- j : T , \- E : jt t' , and £'[761] ij.. We want to show £^[762] J|. Say that 
r = ai, . . . , Om, xi : Ti, . . . , Xn ■ Tn and that 'yoi = ai and = Vi for some cjj's and ViS. 
Then, let C = (Aai. • • • kam-Xxi : ri. • • • Ax„ : r„. [•]) ui • • • (t^vi • • -Vn- It is easy to show 
that h C : (r h r) -w (. h 7T), and thus that h £[C] : (F h r) (• h t'). It is also easy to 
show that £'[C[ej]] E['yei], and thus that i?[C[ej]] J| iff £[764] J|. So the goal is reduced 
to showing that £'[C[ei]] ij- implies £'[C[e2]] -II, which follows from F h ei ^"^^^ 62 : t. □ 

4.2. Atomic Relations. In order to define our logical relation, we introduce the following 
new atomic relations: 

A ::= • • • I Val \ e : t \ C : t t' \ ei ^* 62 | ei 62 \ ei 62 | ei ^ 62 

Except for the first, which is a unary relation, the rest are all nullary {i.e., propositions). 
The interpretations of these propositions, I{A), are as follows: 

• X(Val)(e) = 3v. e = v. 

• I(e : t) \- e : T. 

• I{C ■.t^t')'^= 3E.C = E A ^ E-.t-^t'. 

• J-\e\ ^ €2) = ei ^ €2- 

• X(ei 62) *== ei 62 and none of the reductions in the reduction sequence is an 
unroll-roll reduction. 

• X(ei 62) *== ei 62 and exactly one of the reductions in the reduction sequence is 
an unroll-roll reduction. 

• 2:(ei ^ 62) =^ 3r. h ei 62 : r. 

The motivation for using this particular set of atomic propositions will become clear 
shortly. One point of note is that the ei ^ 62 proposition lacks a type; this is simply for 
brevity, since enjoys unique typing. Another is that, although the proposition C : t t' 
permits an arbitrary context C, the proposition only holds when C takes the form of an 
evaluation context, and we will only use it when C is an evaluation context. The reason 
that we do not syntactically write E here instead of C is simply that the syntaxes of 
values V and evaluation contexts E are not closed under substitution of arbitrary terms for 
variables — they assume that variables are values — and we want proposition well-formedness 
to be preserved under arbitrary term substitutions. All this means, practically speaking, 
is that something like x [■] : t ^ t' cannot hold categorically, but only in a context where 
X G Val is also provable. 

As explained in Section 13.31 along with these new atomic propositions, we will also 
make use of various first-order theorems about them, which are provable straightforwardly 
in the meta-logic without requiring any stepwise reasoning. For example, 

Che ei Che e2 
C h ei 62 V e2 ei 

and 

Ch£:r~~^r' Chei:r Che2:r Chei^e2 
C h E[ei] ^ E[e2] 
See the proofs in subsequent sections for more examples. 
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V|Ja|p = R, where p{a) = {ti,T2,R) 

V [Tb] p '= (xi -I Tf), X2 -i Tb). xi = X2, where Tf, e {unit, int, bool} 

V It' X t"1 p (xi i pi(r' x r"), a;2 i P2(t' x t")). 

3a;']^, a;'/, a;2, a;2- a;i = {x[,Xi) A X2 ^ {^'21^2) A 

K,4)eVlr'lp A (4,4')eV[T"lp 

V [r' + r"l p (xi i pi(r' + t"),X2 i P2{r' + r")). 

(3a;i,a:2. a;i = inla;'i A a;2 = inla::2 A {x'i,x'2) It'\ p) V 
(3a;i',4'. a;i = inrx'/ A = inr^' A (x'/, 4') ^ V It"] p)) 

V [r' t"\ p (xi i pi(r' ^ r"),X2 i P2(r' ^ r")). 

V?/i,y2- (2/1,2/2) e V|r']p (xiyi,X2y2) e ^ It"]p 
VjVa.Tlp "^^^ (xi I pi(VQ;.r),a;2 ip2(Va.r)). 

Vofi, q;2- Vr. r : VRel(ai, 0:2) ^ (xi ai, a;2 Q!2) G £ |t| p, a (ai, a2, r) 

V pa. r| p =^ (xi i pi(3q;. r),a:2 i P2(3a. r)). 

3ai,a2,2/i,J/2- 3r. r : YRe\{ai,a2) A 

Xi = packai, j/i as 3a. piT A X2 = packQ;2 5 ?/2 as 3a. p2T A 
(2/1, y2) e V|r|p,a f-> (ai,a2,r) 

V l^a. r| p =^ pr.{xi | pi{pa. t),X2 i P2{^J■a■ t)). 

32/1,2/2- a;i = roll 2/1 A 2:2 = roll?/2 A 

l>(2/i,2/2) e Vlr]p,a {pi{pa.T), p2{pa.T),r) 
£ |r] p = pr.(ti : pir, i2 : P2t). 

(Vxi. ii J|° xi 3x2. X2 ^ i2 A (a;i,X2) e V |t| p) A 

Figure 6: Syntactic Logical Relation for 

Finally, we will make use of some additional notation, which is definable in terms of 
the atomic propositions we have introduced: 



e It 


del 


e : r A e S Val 






ei J| 62 


del 


ei ^* 62 A 62 S Val 






ei f 62 


del 


ei 62 A 62 E Val 






R:TRel{n,T2) 


del 


\lxi,X2. (xi,X2) G R -- 


^ Xl-.Ti 


A X2 : r2 


R:YRel{n,T2) 


def 


\lxi,X2. {xi,X2) G R -- 


=^ Xl 4 Ti 


A X2iT2 


{xi : Ti,X2 : T2). P 


def 


{xi,X2). Xl'.Ti A X2 


:r2 A P 




{Xl 4, Tl,X2 i T2). P 


dcf 


{xi,X2). Xl iTi A X2 4- ''"2 A P 





4.3. Logical Relation. Figure [6] defines two logical relations for F^, one for values (V [rj p) 
and one for terms {8 p). These are syntactic LSLR relations, defined by induction on r. 
Here, p is assumed to be a syntactic relational interpretation of the free type variables of 
r, i.e., a mapping from each a G FV(r) to a triple (ri,r2,i?) such that R : VRel(ri,r2). 
We write pi to mean the type substitution mapping each a to the corresponding Tj. Thus, 
it is trivial to prove that V [r]] p : VRel(pir, p2'7") and [[r| p : TRel(pir, p2i")- Except for 
the last two cases (V [/^ck-t]] p and £ [r] p), the definition of the logical relation is entirely 
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straightforward, following Plotkin and Abadi [30j . with each type constructor being modeled 
by its corresponding logical connective via the Curry-Howard isomorphism. 

First, let us consider V [jua.r]] p. The basic idea here is to give the relational interpreta- 
tion of a recursive type using a recursive relation fir.R. Recall, though, that references to r 
in R must only appear under "later" propositions. Thus, we have that roll?;i and rollt;2 
are related by V [/xa.rj p "now" iff vi and V2 are related by V [r]] p, a i-> (. . . , V J/ua.r]] p) = 
VlT[na.T/a]jp "later". 

Next, consider £ [[r] p. Intuitively, we would like to say that two terms ei and 62 are 
related if, whenever ei evaluates to some value vi, we have that 62 also evaluates to some 
value V2 such that {vi,V2) G V [r] /). In fact, in the case that ei evaluates to vi without 
incurring any unroll-roll reductions {i.e., when ei ij.^ vi), the definition of £ [rj p almost 
says this — the only difference is that instead of saying "62 evaluates to some value V2 such 
that. . .", it says that "62 is ciu- approximated by some value V2 such that. . ." Of course, 
by definition of ciu approximation, this also implies that 62 terminates, but it is somewhat 
more liberal in that it does not require the value that 62 produces to be directly related to 
vi by V [t] p. This extra freedom is not strictly necessary if we just want to define a logical 
relation that is sound w.r.t. contextual approximation — as we did in the previous version 
of this paper [14j — but it is key to ensuring completeness (see Theorems 14.241 and 14.251 
in Section 14. 6p . An alternative approach to ensuring completeness would be to employ 
TT-closure, as Pitts does |26]. We discuss this alternative in Section |8l 

However, in the case that the evaluation of ei incurs an unroll-roll reduction, the 
interpretation of recursive types forces us to require something still weaker. Specifically, in 
order to prove that the logical relation is sound with respect to contextual approximation, we 
must prove that it is compatible in the sense of Pitts [26]. Compatibility for unroll demands 
that if roll vi and roll V2 are logically related, then unroll (roll vi) and unroll (roll V2) 
are related, too. By definition of V [/ia.r]] p, knowing roll vi and roll V2 are related 
only tells us that vi and V2 are related "later". We need to be able to derive from that 
that unroll (roll and unroll (roll t;2) are related "now". Thus, in defining whether 
(61,62) € £ [rj p, in the case that 61 makes an unroll-roll reduction {i.e., ei e[), we 
only require that e[ and 62 be related later {i.e., >{e[, 62) € £ [r] p). 

For the reader who is familiar with prior work on step-indexed models and logical 
relations, our formulation here may seem familiar and yet somewhat unusual. Our use of 
the later operator corresponds to where one would "go down a step" in the construction 
of a step-indexed model. However, in prior work, step-indexed models typically go down a 
step everywhere {i.e., in every case of the logical relation), not just in one or two places, and 
"count" every step, not just unroll-roll reductions. If one is working with equi-recursive 
types, this may be the only option, but here we are working with iso-recursive types, and 
our present formulation serves to isolate the use of the later operator to the few places 
where it is absolutely needed. While we do not believe there is a fundamental difference 
between what one can prove using this logical relation vs. previous accounts, our formulation 
enables more felicitous statements of certain properties, such as the extensionality principle 
for functions (see discussion of Rule funext below). 

Finally, it is worth noting that, like step-indexed models, LSLR imposes no "admissibil- 
ity" requirement on candidate relations. Intuitively, the reason admissibility is unnecessary 
is that it is an infinitary property. In LSLR, we only ever reason about finitary properties, 
i.e., propositions that hold true in the "current" world; we do not even have the ability 
(within the logic) to talk about truth in all worlds. 
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TTT^ ^ cir Ti VAl) ^ , „ WEAK->) 

C h (61,62) e £|r]p ' C h>P ^ 

C h 61 : piT C h 61 : piT C h 62 : P2T 

Ch6i->*6i Ch(6;,62) [rip Ch6i-^i6; Cho{e[,e2) eStlp 

(exp) ;rr7 T— Fi"! (exp->) 



Ch (61,62) g£ Hp ^ ' Ch (61,62) e£ Hp 

Ch6^i^0 6i Ch (6^,62) eg Hp Ch(6i,6y£gHp c h 6^ ^ 62 

Ch (61,62) eg Hp Ch(6i,62)e£Hp 

C h : PIT - p'it' Ch/:pJ,r' C h (61, 62) £ £ H P 
C,xi,X2, (a;i,a;2) e V H P-ei ^* a::i,X2 ^ 62 I- (i;[a;i],/) e £^ |t'| p' 

Ch(ii;[6i],/)G£HIp' 



C h i^i : piT p'^r' C \- E2 : P2T p'2'^' C h (61, 62) S f H P 
C,xi,X2, (xi,a;2) e VH P.^i ^* 2^1,2^2 ^ 62 h (£'i[xi], £'2[a;2]) G ^ HI P' 
Ch (i;i[6i],i;2[e2]) €f HI P' 

C h (/i, /2) e ^ H ^ t"1 p Ch (61, 62) e £ HI p 



(bind2) 



Ch(/i6i,/2e2)e£HIP 

C \- (61, 62) e f |pa. rj p 



C h (unroll 61, unroll 62) G £ |t[p61;. t/q;]| p 



(app) 



(unroll) 



Chei;pi(T'^r") C h 62 ; P2(r' ^ r") 

C,Xi,X2,ixi,X2) €VIt'Ip\- (61X1,62X2) e £lT"jp 
; — (FUNEXT) 

(61,62) eVH^^lp 

i^, = fix/(a;,0.6, ChFi :pi(t' ^r") C h F2 : P2(t' ^ r") 
<C,xi,X2,(a;i,X2) e VHIp, (J^i,J^2) £ V H ^1 P ^ (ei[-Fi//], e2[F2//]) £ g HI P 

Ch(Fi,F2)eVH^T'lp 



Figure 7: Some Useful Derivable Rules 



4.4. Derivable Rules. Figure [7] shows a number of useful inference rules that are derivable 
in the logic. To be clear, by "derivable" we mean that the proofs of these rules' soundness 
(given below in Section 14. Sp is done just using the inference rules we have established so 
far, without needing to appeal directly to the model and perform stepwise reasoning. In 
all these rules, we assume implicitly that all propositions are well-formed. For the rules 
concerning V [rj p and £ [r] p, we assume that p binds the free variables of r and maps 
them to triples {ti,T2,R), where R : VRel(ri,r2) is provable in the ambient context. 

Rule VAL says that £ [r]] p contains V [rj p. This rule is so fundamental and ubiquitously 
useful that we will often elide mention of it in our proofs. 
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Rule WEAK-o is a weakening property that is easy to derive from the distributivity 
laws for the > operator. The rule employs an < operator (pronounced "earlier") on propo- 
sitions/contexts, defined as follows: 

<{>P) P 

<P=^P (ifP/>P') 

This < operator has the effect of "un-c>-ing" {i.e., stripping the i> off of) any >P hypotheses 
in the context. Note that this is purely a shallow syntactic operation; it does not un-o 
any hypotheses that are propositionally equivalent to some >P but not syntactically of that 
form. (The reader may wonder why we define < in this syntactic way instead of building it 
in as a primitive modality with the seemingly natural interpretation [[< P}5n = lPj5{n + 1). 
The trouble is that this interpretation is not well-founded, since it defines the meaning of 
o P in terms of the meaning of P at a higher step level. And indeed, our syntactic < does 
not satisfy this interpretation.) 

Consequently, Rule weak-o says that if we want to show P is true later, given some 
assumptions that are true now, and others that are true later, then we can just prove that 
P is true now given that all the assumptions are true now. This is a weakening property 
because, applying the rule backwards, we forget the fact that some of the hypotheses in C 
(namely, those that are not of the form >P) are true at an earlier world than the others. 

The WEAK-o rule is particularly useful in conjunction with the lob rule. Specifically, 
thanks to the LOB rule, a frequently effective approach to proving two terms ei and 62 related 
is to assume inductively that they are related later and then prove that they are related 
now. Eventually, we may reduce our proof goal (via, e.g., Rule EXP-t>, explained below) to 
showing that two other terms e'^ and 62 are related later. At that point. Rule WEAK-t> allows 
us to un-o both our new proof goal (relatedness of e'l and 62) and our original LOB-inductive 
hypothesis (relatedness of ei and 62) simultaneously. We will see an instance of this proof 
pattern in the example in Section 15.21 

The next four rules in Figure [7| allow one to prove that two terms ei and 62 are related 
by converting one of the terms to something else. Rule EXP (closure of the logical relation 
under expansion) allows one to reduce ei to some according to the relation and then 
show that e'l is related to 62. Rule red (closure of the logical relation under "-^^ reduction) 
allows one to expand ei to some e'^ according to the --^^ relation and then show that e'^ is 
related to 62. Rule Ciu allows one to replace 62 with some 63 that ciu-approximates it, and 
then show that ei is related to 63. Rule EXP-t> is similar to Rule exp, but addresses the 
case when ei incurs an unroll-roll reduction on the way to e[ . In this case, unfolding the 
definition of £ [r| p, all we have to show is that e'^ and 62 are related later. 

The aforementioned rules are all useful when we know what the terms in question 
reduce/expand to. Rule bind is important because it handles the case when a term is 
"stuck". For instance, suppose we want to show that e and / are related, where e is of the 
form E[ei] {i.e., ei is in evaluation position in e, and E is the evaluation context surrounding 
it). Perhaps ei is something like yi{vi), in which case there is no way to reduce it. However, 
if we can prove that yi{vi) is logically related to some other expression 62, then there are 
two cases to consider. In the case that they both terminate, we can assume that there are 
some values xi and X2 such that ei evaluates to xi, ei is ciu-approximated by X2^ and x\ 
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and X2 are related by V [rj p, and the goal is reduced to showing that is related to /. 

In the case that ei diverges, there is nothing to show, since E[ei\ will diverge, too. 

The BIND rule may seem at first glance a bit peculiar in that the term 62 does not 
necessarily have any relationship to /, and the variable X2 does not appear anywhere on 
the r.h.s. of the last premise. This peculiarity is a consequence of the rule being as general 
as possible. In the specific (if common) case that / is in fact of the form E2[e2\ {i.e., that 
62 is in evaluation position in /), an easy corollary of Rules BIND and Ciu is Rule BIND2. 
In addition to being more intuitive, this more symmetric-looking variant of the BIND rule is 
very useful in deriving compatibility properties [26], such as Rules app and unroll; these 
compatibility properties are necessary in order to establish that the logical relation is a 
precongruence (and hence contained in contextual approximation), and Rule bind2 helps 
to reduce the derivations of these properties to the case where the e's and /'s are values. 
Rule bind2 does not subsume Rule bind, however: the general and distinctly asymmetric 
nature of the original Rule bind renders it suitable for reasoning about logical approximation 
in cases where the more symmetric Rule bind2 does not apply — for instance, see the proof 
of the "free theorem" example in Section 15.31 

Rule funext demonstrates a clean extensionality property for function values, which 
was one of our key motivations for LSLR in the first place. (The property does not hold for 
arbitrary terms in our call- by- value semantics.) It is worth noting that, in prior step-indexed 
models, this extensionality property is not quite so clean to state. For example, if one were 
to encode Ahmed's relation in our logic directly, the assumption (xi, X2) € V |t']] p would 
have to be >'d. The key to our cleaner formulation is simply that we confine the use of > in 
V [t] p to the case when r is a recursive type. Thus, in particular, one need not mention > 
when reasoning purely about functions and /3-reduction. 

Finally, Rule fix gives the rule for recursive functions, which are encodable in a well- 
known way in terms of recursive types. We formalize the encoding as follows: 



This encoding has the property that ii F = fix f{x). e, then F{v) e[F/f,v/x]. Con- 
sequently, to show two recursive functions related, we may LOB-inductively assume they 
are related while proving that their bodies are related. (For the proof that the bodies are 
related, we may also un-o any other > hypotheses in the ambient context C.) The implicit 
use of LOB induction in this rule gives it a distinctively coinductive flavor. 

4.5. Proofs of Derivability. In this section, we show how to derive the rules in Figure [71 
Proposition 4.6 (Type Substitution). 



fix/(x).e = Xy.(mirollv)vy 

where ?; = roll (Az.(A/.Ax.e)(Ay. (unroll z) 2 y)) 
for y,z ^ FV(e) 




□ 



Proof. Immediate, since ^ is reflexive. 



□ 
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Proposition 4.8. Rule WEAK-O is derivable. 

Proof. Suppose C = X]1Z;V. Then, <]C h P implies ^;7^;• h (Agep <Q) ^ P- By 

Rule MONO and the distributivity axioms, X;1Z\- h {[\q^'p xQ) O-P. Since Q ^ \><\Q, 

we have X;TZ]-V- {/\q(z-p Q) =^ >P, and thus C h oP. □ 

Proposition 4.9. Rule RED is derivable. 

Proof. First, suppose that ei JJ-'^ xi for some value xi. Then, e[ implies that e'j^ -IJ-° xi 

as well, and the rest follows immediately from {e'l, 62) € £^ [r] p. 

Second, suppose that ei ti for some term ti. Then, e'l ei implies that e'^ ti 
as well, so again the rest follows immediately from {e'l, 62) G £ [rj /?. □ 

Proposition 4.10. Rule EXP is derivable given the additional premise that C \- ei e'l. 

Proof. The proof is very similar to the proof of Rule red. The key bits are: (1) if ei ij-^ xi 
and ei e'^, then e'l ij.^ xi by determinacy of reduction, and (2) if ei ti and ei e'^, 
then e'^ ti, again by determinacy of reduction. □ 

Proposition 4.11. Rule EXP-I> is derivable. 

Proof. First, suppose that ei ij-^ xi for some value xi. Then, ei e'^ yields a contradiction. 

Second, suppose that ei ti for some term ti. Then, since ei e'j^, we have by 
determinacy of reduction that either e'^ ti or ti e[. Thus, by either Proposition 14.91 
or 14. lot '>(e'i, 62) € £" |r]] p implies >{ti, 62) € S |t] p, which is what we needed to show. □ 

Proposition 4.12. Rule exp is derivable. 

Proof. Assume the premises of Rule exp. We will prove the following proposition and then 
instantiate ti with ei to obtain the desired result. 

Vti. (ti : piTAti ^* e'l) (ti,e2) eSMp 

The proof is by lob induction, i.e., we use the lob rule to assume the above proposition 
is true "later" (under a > modality) and then prove it true "now". So assume ti : piT and 
ti e'l, and we want to prove (ti,e2) € £ [rj p. It is thus either the case that ti e'l 
or that there exists t'l such that ti t'l e^. In the former case, the result follows 
by Proposition 14.101 and the assumption (e'i,e2) € £ [t] p. In the latter case we have, by 
the LOB-inductive hypothesis {i.e., the o-ed version of our original goal) together with the 
distributivity of > over V and =^, that >{t[ : piT A t[ ^* e[) =^ c>(t'i,e2) G M /O- We 
already know that t[ ^* e'^, and t'^ : piT follows by type preservation, so by Rule mono, 
we have that >(t[, e2) £ £ [tJ p. The result then follows from ti t[ and Rule exp->. □ 

Proposition 4.13. Rule ciu is derivable. 

Proof. As for Rule exp, the proof here is by lob induction. Given the premises of Rule Ciu, 
we prove the following and then instantiate ti to ei: 

Vti. {ti,e'2)G£Mp^{tue2)££Mp 

Assume this is true later, and we proceed to prove it now. So assume (ti, e'2) € £ |t] p, and 
we want to prove {ti, 62) € £ [r] p. 

First, suppose ti J).° xi. Then, there exists X2 such that (xi,X2) € V [[r] p and X2 ^ e'2. 
Since by assumption 62 ^ e2 and ^ is transitive, we have that X2 ^ e2, so we are done. 

Second, suppose ti t'l. Then, >(t'i, e^) € £ \t\ p, so by the LOB-inductive hypothesis, 
I>(t'i,e2) G^Hp- □ 
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Proposition 4.14. Rule BIND is derivable. 
Proof. Define P{ti) to be the proposition: 

VXI, X2. ((Xl, X2) eVMpAti ^* XI A X2 ^ 62) ^ (^[xi], /) G £ M p' 

We want to prove that 

Vti. ((ti, 62) eSMpA Pih)) ^ /) G £ It'] p' 

By the LOB rule, we assume this proposition is true later and proceed to prove it now. So 
assume that (ti, 62) G £' [r] p and P{ti), and we want to prove {E[ti], f)£S [[r'] p' . 

First, suppose that E[ti] ij-^ xi for some xi. Then, it must be the case that ti JJ-*^ yi 
for some yi, and also that £'[^1] E[yi] ij-^ xi. Since (ti,62) G £" [r] p, we know there 
exists some 7/2 such that 7/2 ^ 62 and (yi,y2) G V [r] p. Thus, by -P(ti), we know that 
/) G £ Ir'j p'. Then, by Rule EXP, {E[til f) G £ {r'} p' . 

Second, suppose that E[ti\ t[. There are two cases: 



Case 1: 

There exists yi such that ti i^P yi, and also that E[ti] E[yi] t[. The proof is 
identical to the previous case shown above. 

Case 2: 

There exists ui such that ti ui, and also that E[ti] E[ui] t[. Since (^1,62) G 
£ |r]] p, we know that i>(ni, 62) G £ [[r] p. Also, it is easy to show that P{ti) implies P{ui). 
Thus, by appealing to our LOB-inductive hypothesis, we have that >{E[ui], f)££ [t'] p'. 
Finally, by Rule red, >{t[, f) £ £ [t'} p' . □ 

Proposition 4.15. Rule BIND2 is derivable. 

Proof. By Rules BIND and Ciu, together with the fact that X2 ^ 62 implies -E2[x2] ^ -E'2[62], 
by part (4) of Proposition 14.41 □ 

Proposition 4.16. Rule APP is derivable. 

Proof. By Rule bind2, using evaluation contexts [•] 61 and [•] 62, the goal reduces to show- 
ing that (xi6i,X2 62) G f |r"]] /? under the assumption that (xi,X2) G V |t' t"} p. By 
Rule BIND2 again, this time using evaluation contexts xi [•] and X2 [•], the goal reduces to 
showing that (xiyi,X2y2) G [r"] p under the assumption that (2/1,1/2) G V [r'J p. The 
result then follows by unrolling the definition of V |r' — ?> r"] p. □ 

Proposition 4.17. Rule UNROLL is derivable. 

Proof. By Rule bind2, using the evaluation context unroll [•] on both sides, the goal re- 
duces to showing that (unroll xi, unroll X2) G £ Irlpa.r/a]} p under the assumption that 
(xi,X2) G V [[pa.rj /9. Unrolling the definition of V [/ia.r]] /?, we have that xi = rollyi, 
X2 = roll y2, and >(yi, 1/2) G V |r]] />, a i-7> V [pa-r] p for some yi and 2/2- By Proposition [461 
'>(yiiy2) G V [[T[pa.T/a]]] /9. Also, we have that unrollxj = unroll (roll yj) y^ (and 
thus yi :< unroll Xj as well). Thus, the desired result follows directly by Rule exp-o and 
Rule CIU. □ 

Proposition 4.18. Rule FUNEXT is derivable. 

Proof. Immediate, by unfolding the definition of V [t' t"J p. □ 
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Proposition 4.19. Rule FIX is derivable. 

Proof. By straightforward combination of Rules lob, funext, weak-o, exp-o, and CIU, 
given the fact that Fj Xi ei[Fi/f]. □ 

4.6. Soundness and Completeness of the Logical Relation. We now state some key 
theorems concerning the logical relation, the primary ones being that it is sound and com- 
plete w.r.t. contextual approximation. 

Definition 4.20 (Logical Approximation). Let L h ei : r and L h 62 : t. 
Suppose r = «!, . . . , a„, xi : ri, . . . , Xm '■ Tm- Let 

X Oi-|^,o;-|^,..., o^^, . . . Xjy^ 

TZ = ri, . . . ,rn 

p = ai H> {a\,al,ri), . . . , a„ H> (a^, a^, rn) 
V = ri : VRel(a},af ), . . . ,r„ : VRe^a^'^, a^), 

{xl,xl) e V[rilp,...,(a;^,x^) G V [r^l p 
7j = xi>-^ x{, . . . ,Xm>-^ xii (where j £ {1, 2}) 

Then 

r h ei 62 : r = X-TZ^V ^ (^17161,^27262) G H p 

Theorem 4.21 (Fundamental Theorem of Logical Relations). 

//r h e : r then The e : r. 

Proof. By induction on typing derivations. In the case when e is a variable, the goal follows 
directly from the hypotheses V in Definition 14.201 All of the other cases follow immediately 
from the compatibility rules, which are all completely straightforward to prove (in the style 
of Rule app). The only slightly interesting compatibility rule is Rule unroll, which we 
proved in Section 14.51 □ 

Theorem 4.22 (Adequacy). 

// h (ei, 62) G £ [tJ and ei then 62 -il. 

Proof. Suppose ei -IJ- t'l. Let n be the number of unroll-roll reductions that occur in the 
evaluation of ei to vi. It is easy to show by induction on n, and by unfolding the definition 
of £'[[t], that h i>"(vi,e2) G £\t\ (where denotes n applications of the > modality). 
Thus, h>"(3x2|r. X2 ^ 62). 

Appealing to the model, we have that V/c > 0. [[o"(3x2 i t. X2 ^ 62)]]^:. Choosing k > n, 
this means that there exists a value V2 : r such that V2 62. Hence, 62 i}-. D 

Theorem 4.23 (Logical Approximation Contextual Approximation), 
//r h ei e2 : r, then L h ei 62 : r. 

Proo/. Given a context C : (L h r) -w (r' h r'), we show that T' h C[ei] ^^"^ C[e2] : t' . The 
proof of this part is by induction on the context C, and as in the proof of the Fundamental 
Theorem, all of the cases follow immediately from the compatibility rules. Thus, if F' is 
empty, we know that h (C[ei], C[e2]) G £ It'}. Consequently, by Adequacy, we know that 
C[ei] ^ implies C[e2] ij-. □ 
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Theorem 4.24 (Ciu- Transitivity of the Logical Relation). 

//r h ei r<'°^ e'2 -.TandTh e'2 62 : r, then T h ei 62 : r. 

Proof. Let 7^, "P, p, and 7^ be as defined in Definition 14. 201 From the second assumption, 
it is easy to show by appeal to the model that A!;TZ;V \- P2j2e2 ^ P2j2e2- Thus, the result 
follows immediately by Rule CIU. □ 

Theorem 4.25 (Ciu Approximation =^ Logical Approximation). 

//r h ei 62 : T, then L h ei ^'"^ 62 : r. 

Proof. By the Fundamental Theorem of Logical Relations, F h ei ^'"^ ei : r. The result 
then follows directly by Theorem 14.241 □ 

Corollary 4.26 (^'^^"^ = = ^'°^'). 

F h ei 62 : r i#F h ei ^"'^ 62 -.r iffVh a 62 : r. 

Proo/. By Theorems US SJS] and 11251 □ 



4.7. Symmetric Version of the Logical Relation. We have shown that our logical 
relation supports sound inequational reasoning about contextual approximation, but we 
would like to support equational reasoning as well. Of course, one can prove two terms 
equivalent by proving that each approximates the other, but often this results in a tedious 
duplication of work. Fortunately, we can define a symmetric version of our logical relation 
directly in terms of the asymmetric one. 

First, some notation: for a binary term relation R, let denote {t2,ti).{ti,t2) € R. 
Also, let denote the mapping with domain equal to that of p such that if p{a) = 
(ti,T2,P), then p°P(a) = (r2, n, i?°P). 

Now, perhaps the most natural way of defining a symmetric version of our logical 
relation would be to say that two terms/values are symmetrically related if they are logically 
equivalent, i.e., asymmetrically related (by £ |r]]) in both directions. Interestingly, this does 
not work. In particular, there are a variety of properties (described below) that we would like 
our symmetric relation to enjoy, one of them being the property that symmetrically-related 
function values /i and /2 (of type r' — > r") are precisely those that map symmetrically- 
related arguments (of type r') to symmetrically-related results (of type r"). However, just 
knowing that fi and /2 map equivalent arguments to equivalent results does not imply that 
they are equivalent themselves; to show equivalence, we would need to establish relatedness 
of /i and /2 in both directions, which would at a minimum require that they map V [t'J- 
related arguments (which are not necessarily equivalent) to £ [[T"]-related results. Merely 
knowing how fi and /2 behave on equivalent arguments is not enough to establish that. 

Thus, instead, we define the symmetric relation as shown in Figure [8j Here, d is a value 
variable of type bool that we assume is bound in the context in which these symmetric 
relations appear. When d is true, £'~[[r]] p and V~[[t] p are equivalent to the asymmetric 
logical relation in one direction; and when d is false, they are equivalent to the asymmetric 
relation in the other direction. Thus, by proving two terms to be symmetrically-related in 
a context where d's identity is unknown, we can effectively prove logical approximation in 
both directions simultaneously. 

This formulation has several nice properties. First, it is straightforward to show that if 
we take each case of the definition of V [[r] p in Figure El replace all occurrences of V [[r] p 
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def 



{h : PiT,t2 : P2t). 

{d = true ^ (ti, ta) G V |t] /)) A 
(d = false ^(t2,ti)GVHP°P) 




def 



(tl : piT,t2 : P2t). 

{d = true ^ (ti, ta) G H p) A 
(d = false ^ (t2,ti) G£:[rlp°P) 

(d = true =^ 62 ei) A 
(d = false =^ ei ^ 62) 



ei ^1 62 



def 



d ^2 62 



def 



(d = true =^ ei ^ 62) A 
{d = false =^ 62 61) 



Figure 8: Symmetric Version of the F'^ Logical Relation and Related Definitions 

and S |r] p with their symmetric versions, and substitute = for ="^, we have a set of valid re- 
lational equivalences. The same goes for the relational equivalences in Proposition S]6j (The 
same is not true, however, for the definition of 8 [[rj p, because it is inherently asymmetric.) 

The proofs of these symmetric relational equivalences are all quite easy — each one splits 
into two cases, one for d = true and one for d = false. Here, we sketch the proof for the 
recursive type case, which is the most interesting since it uses the lob rule. 

Proposition 4.27. V^\pa.T\ p = pr.{xi ]^ pi{pa.T)^X2 i P2{iJ'Oi-t)). 

3yi,y2- xi = rollyi ^ X2 = roll 2/2 A 

>(yi,y2) G V~[[t] p,a^ {pi{f^a.T),p2{pa.T),r) 

Proof. Let Ri and R2 denote the relations on the left and right sides of the equivalence, 
respectively. By the lob rule, we can assume that i>(i?i = i?2)- By Canonical Forms, either 
d = true or d = false: 

Case d = true: 

Unrolling definitions, the proof reduces to showing that i>(yi, 2/2) G V [rj /?, a H- (. . . , 
iff i>(2/i, 2/2) G V [t] p,a I— 7> (. . . , i?2)- This follows from the basic axioms together with 
the LOB-inductive hypothesis i>(-Ri = i?2)- 

Case d = false: 

Similarly, the proof reduces to showing that >{y2,yi) G V[[t]/9°p,q i-^ iff 
^{1/2, yi) G V [t] yO°P, a 1-^ (. . . , R2°^)- Again, this follows from the basic axioms together 
with the LOB-inductive hypothesis i>(iii = i?2). Q 

Furthermore, we can easily derive symmetric versions of most of our derived rules. In 
most cases, including all the compatibility properties, the symmetric rule looks like the 
asymmetric one, except with £^ and V~ in place of £ and V. Exceptions to this pattern 
include the rules from exp to bind2 in Figure [71 In Figure [9l we give symmetric versions of 
several of these, the last two of which employ the relations 61 ^1 62 and 61 ^2 ^2 defined in 
Figure El These relations are merely a technical device to enable a symmetric presentation 
of certain premises that have the form 62 ei for one direction of approximation and 
61 :< 62 for the other direction. The proofs of these rules are all completely straightforward, 
relying heavily on the fact (from Proposition 14. 4p that 61 ^* 62 implies 61 ^^^'^ 62. (Note 
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C h ei : piT C h £2 : P2T 
C h ei e'l C h 62 e'2 C h (e'l, e'2) G S"^ {t} p 

-— . . (SYM-EXP) 

C V- (61,62) e £~[t| p 



C h 61 : piT C h 62 : P2T 
Ch6i^i6'i Ch62->i6'2 ChKei,ei) G^^Hp ^ 

(SYM-EXP->) 



Ch(6i,62)ef"Irlp 

61 C h 6^ 62 C h (6i, e'2) e It\ P 



Ch (61,62) ef^Irlp 



(sym-red) 



C h 61 : Pit C h 62 : /O2T 

C h (6'i, 6^) e f *[r] p C h e'l ^1 61 C h 6'2 ^2 62 
-— . . (SYM-CIU) 

C I- (61,62) e Hp 

C h i?i : piT p'^t' C h i?2 : P2T ^ P2'''' C h (61, 62) G ^^~[t] p 
C,xi,a;2, (xi,X2) G V~[[t]p, a;i ^1 61, X2 ^2 62 h (-Ei [a:i], £'2[x2]) G £~|t']p' 
Ch(i.i[6i],i.2[e2])G^«Mp' (^^^-'^^^^^ 



Figure 9: Symmetric Versions of Several Derivable Rules 



that the context C appearing in all these rules is assumed to bind d in its variable context 
and contain d ^ bool in its proposition context.) 

To give the reader a concrete sense of how these rules work, we present in the next 
section three detailed examples of how to use them to prove contextual equivalences. 

Finally, since LSLR is inspired by Plotkin and Abadi's logic for parametricity, one 
might expect to see some rule corresponding to "identity extension." Denoting contextual 
equivalence at type a by identity extension would mean that, for any open type 

a h T, we would have that i£'~[[t]] (a i->Ri^*^) equals In fact, we do not have such 

a rule since, as we discovered in the course of carrying out this work, identity extension 
does not hold for the step- indexed model! For identity extension to hold, one would need 
that contextual equivalence at any r should equal the semantics of £'~ [r] , but it only 
equals the subset of £'~[[r]] for which the relation holds for all n, i.e., roughly, the subset 
{(^1,62) I Vn. [[(61,62) € 5~|T]]n}. The identity extension lemma has traditionally been 
used to prove representation independence results, aka free theorems [35], and, for pure 
calculi, definability results for types ^30j. In spite of the lack of identity extension we are 
still able to prove some free theorems, as we demonstrate in Section [5.31 



5. Examples 

We now show three examples of how to use our LSLR-based logical relation to prove inter- 
esting contextual equivalences. 

The first example is from Crary and Harper [13j (who adapted it from one in Sumii 
and Pierce |34j ) and concerns representation independence of "objects" with existential 
recursive type. The second, from Sumii and Pierce |34j . is concerned with proving the 
syntactic minimal invariant property associated with a general recursive type [271 HOl US] ■ 
The third is a canonical example of a Wadler-style "free theorem" [35]. 



LOGICAL STEP-INDEXED LOGICAL RELATIONS* 



23 



We reason informally in LSLR but present the proofs in some detail to emphasize the 
use of the derivable rules from Section HI Observe that the proofs do not involve any mention 
of step indices! 

5.1. Flag Objects. Consider the following type for flag objects, which have an instance 
variable (with abstract type a) and two methods. The first method returns a new object 
whose flag is reversed, while the second method returns the current state of the flag. 

fld„ = a X ((/3 ^ /3) X (/3 ^ bool)) 
flag = Ba.flda 

We consider two implementations of flags, in which the hidden flag state is represented by 
a bool and an int, respectively. We assume that not : bool — t- bool and even: int— >■ bool are 
implemented in the obvious way. 

bf lag = pack bool, (roll (true, (bf lip, bret))) as flag 
bf lip = Ax : fidbool- ^oll (not (f st (unroll x)), snd (unroll x)) 
bret = Ax : fidbool- f st (unroll x) 

if lag = pack int, (roll (0, (if lip, iret))) as flag 
if lip = Ax : fidint- roll (1 + (f st (unrollx)), snd (unrollx)) 
iret = Ax : fidint- even (fst (unrollx)) 

To prove equivalence of bf lag and if lag, it suffices to show d,d I bool h (bf lag, if lag) G 
i?~[flag]]. Equivalently, by Rule VAL, since both terms are values, it is enough to show that 
d,d I bool h (bf lag, if lag) G V~ [flagj. Unfolding the definition of V~ [3a. flda]], we choose 
ai I— > bool, a2 1-^ int, yi>-^vi, y2^V2, and r^R as the substitution for its existentially- 
bound variables, where vi = roll (true, (bf lip, bret)), ^2 = roll (0, (if lip, iret)), and 

= (xi I bool, X2 i int). 3y J, int. (xi = true A 2j/ -|| X2) V (xi = false A 2y +1 -|| X2) 

Let p = a 1-^ (bool, int, i?). It now suffices to show (^1,^2) € V^lfld^Jp, or equivalently 
(using the compatibility rules and several applications of Rule val) : 

(1) Show (true,0) G V~[[a]]p. This is immediate from the definition of R by choosing 
y ^ 0. 

(2) Show (bf lip, if lip) G V~|flda — )• fld^]] p. By the compatibility rule for functions, we 
assume that (xi,X2) G V^Jfldo]] p, and are required to show: 

(roll (not (f st (unroll xi)), snd (unroll xi)), 
roll (1 + (f st (unroll X2)), snd (unroll X2))) 
G^^IfldJp 

By compatibility, we have that (fst (unrollxi),fst (unrollx2))G i£^~[[a]]/9. Thus, by 
Rule SYM-BIND, we can assume that {zi,Z2) G V~|a]] p = i? for some zi and Z2, and 
the proof reduces to showing 

(roll (not zi, snd (unroll xi)), 
roll(l + Z2, snd (unroll X2))) G £'~[[fldQ]]p 

By compatibility again, this reduces to showing that (not 2:1,1 + Z2) G £^~[[a]]p. By 
Rule SYM-EXP, it simply remains to show that not zi and 1 + 2:2 evaluate to values that 
are related by R. The following lemma suffices: 

V21, 22- {zi,Z2) £ R ^ 3z'i,Z2- not 2l JJ- 2^ A 1 + 22 J| 22 A {z'l, Z2) G R 
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Expanding out the definition of membersliip in R, we arrive at a strictly first-order 
statement that is provable by straightforward means in the meta-logic. 
(3) Show (bret, iret) E V~[flcla— > boolj /?. This is similar to part (2), with the proof 
boiling down to the first-order statement 

\/zi,Z2.{zi,Z2) e evenz2 ij- zi □ 

5.2. Syntactic Minimal Invariance. The proof of our next example relies on Canonical 
Forms, a first-order lemma about F'^ that we assume is proven outside LSLR by traditional 
means. This standard lemma, which characterizes the shape of well- typed values, is only 
available to us because (following Pitts [26] ) we have constructed the logical relation from 
syntactically well-typed terms. For further discussion of this point, see Section [71 

Let r = jia. unit + (a — > a). We are going to show that the identity function id = 
Xx:t.x is equivalent to 

V = fix f{x : t). cdiSe (unroll x) of inl _=>roll (inl ()) 
I inr g^roll (inr (Ay : r. f{g{f y)))) 

This corresponds to the minimal invariant property in the domain-theoretic work of Pitts 
[27j . which Birkedal and Harper subsequently proved in an operational setting [10| . 

To prove contextual equivalence of id and v, we can show d,d I bool h (id, v) G 
V~|t — )■ rj. Our proof will be parametric in d. By the lob rule, we assume i>(id, f) € 
V~[[r rj and proceed to prove (id, f) € V~[[r — t- rj. Now, by (the symmetric version of) 
Rule FUNEXT and sym-exp, we assume (xi,X2) S V~[[r]], and it suffices to show 

(xi, case (unroll X2) of inl _=>roll (inl ()) 

\±iLrg^Toll{inr{Xy:T.v{g{vy))))) € f^H 

By relatedness of xi and X2, we know that there exist yi and y2 such that xi = roll yi, X2 = 
roll 2/2) and 0(2/1,2/2) £ V~[[unit + (r — )• r)]. By Canonical Forms, since 2/2 i unit+(r — )• r), 
we know that either 2/2 = inl () or there exists y'2 such that 1/2 = ^^^y'2- In either case, 
there exists z J, unit + (r — )• r) such that the case expression above evaluates to rollz. 
Consequently, by Rule sym-exp, the goal reduces to showing 

(roll yi, roll z) G V^lfia. unit +(«—)■ a)} 

Unfolding the definition of V~[[^a. unit + (a ^ a)]], it suffices by Rule weak-i> to show 

{yi,z) G V^Iunit+(r^r)] 

under a strengthened {i.e., < 'd) context in which the > has been removed from any of our 
previous assumptions. In particular, we may now assume our LOB-inductive hypothesis 
(id,?;) G V~[[r — > r], as well as (yi,y2) € V~[[unit + (r ^ r)]], to hold "now" as opposed to 
"later". The latter assumption yields two cases: 

Case inl: 

yi = y2 = z = inl (). Trivial. 

Case inr: 

yi = inryi, 7/2 = inry^, (^^,^2) ^ V~|r^r]l, and z = inr (Ay : r. u (y^ (u y))). Thus, 
to complete the proof it suffices to show 

{y[,\y:T.v{y'2 {vy))) G V^Ir^r] 
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Applying Rule funext (in its symmetric form) and Rule sym-exp, we assume {zi,Z2) € 
V~ |r]] , and have to show 

From (id, t;) E V~[[r — ?> r], together with relatedness of zi and Z2, we may conclude 
by Rules AFP and sym-red that {zi,v Z2) € £'~[[t]. By relatedness of y'^ and y'2 and 
Rule APF, we have that {y[ zi, {y'2 (v Z2))) G £'~1[t]. Thus, by Rule sym-bind, choosing 
as the evaluation contexts of interest [•] and v [•], our goal reduces to showing that for 
any z[,Z2, if {z[, Z2) G V~[[t], then {z'^,v Z2) € £^~[[r]]. As before, this follows from 
(id, G V~[[t — )■ r], together with Rules apf and sym-red. □ 

5.3. A "Free Theorem". Suppose that r and a are closed types, that h and / are values 
such that h : Va. a ^ a ^ a and f : t ^ a, and that v and w are values of type r. We will 
prove that ha {f v) (/ w) contextually approximates f {hr vw) unconditionally, and that 
the reverse approximation also holds if / is total (a sufficient, but not necessary, condition), 

defined as total(/) =^ Vx. x \.t ^ By. f x ij- y. 

The proof is interesting in that it is mostly done in a symmetric fashion, except for 
one inner lemma, which requires us to split into cases, one for each asymmetric direction 
of approximation. Since one of the two directions includes an extra assumption concerning 
the totality of /, we will actually prove the theorem 

Ch{ha{fv){fw), f{hTvw))££''la} 

where C = d,d bool, d = false =^ total(/). To prove the theorem, we use Rule sym-bind 
with the evaluation contexts [•] and / [•], respectively. The proof is in two parts. 

Part 1 First, we prove that 

{ha{fv) {fw),hTvw) G S^laj p 

where /) = q H- (a, r, R) and 

R = {yii <y,y2 i t). (2/1,7^2) g 

By Theorem 14.211 {h,h) G £~ [Va. a ^ a ^ a\. Thus, {ha^hr) ^ £~la ^ a ^ q\ p. To 
prove our desired result (by Rule afp), it remains to show that {fv,v) G £^~[[a]]p and 
{f w,w) G p- We show the proof for the former; the latter is exactly the same. 

This is the place where we need to split into cases depending on the direction of the 
proof. Both cases use the fact, due to the Fundamental Theorem, that {fv,fv) G £"^[[0"]]. 

Case d = true: 

We need to show {fv,v) G £" [aj p. Since {fv,fv) G £"[[0"], by Rule bind (using 
evaluation context [•]) and Rule VAL we may assume that there exist xi,X2 such that 
(xi, X2) G V |(t] and X2 ^ f v, and it remains to show {xi,v) G V [aj p = R. The latter is 
equivalent to (xi, /u) G £" [cr], which follows directly from the assumptions by Rule Ciu. 

Case d = false: 

We need to show {v,fv) G f [[a]]/9°P. Using the assumption total(/), which is available 
since d = false, we know that there exists x ^ a such that fvi}-x. Thus, f v ^ x and 
X < f V. By Rules Ciu and VAL, it suffices to show (v, x) G V [a] = Unrolling 
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the definition of i?, we see that the goal is equivalent to {f v,x) G £ Jcr], which follows 
from {f V, f v) € f la} and f v ^ x hy Rule Ciu. 

Part 2 Next, we assume that (zi, Z2) G V~ {a} p = R and we need to show that 

But this falls out directly from the definition of R, so we are done. □ 

6. The Merits of Our Approach 

By way of comparison with previous work, we now informally present an alternative proof 
of the "flag objects" example (from Section [5.ip in the style of Ahmed [3]. Following that, 
we discuss how our LSLR proof relates to and improves on this alternative proof. 

6.1. Flag Objects Proof With Explicit Step Manipulation. We now sketch a proof 
for the "flag objects" example from Section l5.ll using Ahmed's logical relation [1]. Since 
the latter is asymmetric, to prove equivalence of bf lag and if lag at type flag, we must 
show that for all n > 0, (n,bflag, if lag) € £ [flagj and (n, if lag, bf lag) G £ [[flag], where 
£ [•] is the asymmetric logical relation for closed terms from Ahmed's paper. Here, writing 
{n, 61,62) G £ [rj means that ei and 62 are related for n steps — or more specifically, that 
if 61 terminates in less than n steps then 62 will terminate (in any number of steps) and 
the resulting values will be related for the remaining number of steps. We discuss only one 
direction of the proof; the other direction is similar. 

To prove that (n, bf lag, if lag) G f [flag]] for arbitrary n > 0, it suffices to show 
(n,bflag, if lag) G V [flag], since bflag and if lag are values. We take ri = bool, T2 = int, 
and 

R = { {n', vi,V2) \ \- vi : bool A h ^2 : int A 

3y : int. (f 1 = true A 2y JJ. ^2) V {vi = false A 2y +1 JJ. V2)} 

Let /3 = a I— > (bool, int, R). It then suffices to show, for all m < n, that 

(m,roll (true, (bf lip, bret)), roll (0, (if lip, iret))) G V [fldo,]] p 

Unwinding the definitions of V ]]/U/3. rj and V [ti x T2}, it now suffices to show the following 
for all k < m: 

(1) Show (k, true, 0) G V [aj p. This is immediate from the definition of R, choosing y = 
as before. 

(2) Show (kjhflip, if lip) G V lilda fldaj p- For arbitrary j < k, assuming we are given 
(j) Vai,Va2) G V l^ldaj p, we are required to show: 

(j, roll (not (f St (unroll Vai)), snd (unroll Vai)), 

roll (1 + (fst (unrollt;„2)), snd (unroll t;a2))) G £ l]fld„] p 

We assume that roll (not (fst (unroll t;^!)), snd (unroll w^i)) evaluates to a value 
Vfi in i < j steps. We are required to show that there exists a value Vf2 such that 
roll (1 + (fst (unroll fa2)), snd (unroll z;a2)) evaluates to Vf2 and (j — i,Vfi,Vf2) G 
p. Since these expressions clearly require more than one step of evaluation, we 
know that j > 2 (which is relevant here when we talk about j — 1). 
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Prom {j,Vai,Va2) G V [fldo;]] p, it follows that Vai = rolluio and Va2 = rollf2o, and 
furthermore that t;io = (?^ii,?^i2) and V20 = (^21,^^22), where {j - l,t'ii,V2i) G V |q;]] p 
and (j - 1, f 12, 1^22) e V |(fld„ fld«) x (fld„ ^ bool)]] p. 

Hence, by the operational semantics, wc have that: 

roll (not (f St (unroll Vai)), snd (unroll Vai)) 
roll (not (f St vio), snd (unroll Vai)) ^ 
roll (not vii, snd (unroll Vai)) ^ 
roll (-'fii; snd (unroll Uai)) 
roll (-'Vii, snd uio) 
roll (-''yii,'yi2) 

where -^vn is a value denoting the negation of v\\. 
Also, by the operational semantics: 

roll (1 + (f St (unroll Wa2)), snd (unroll i'a2)) 

roll (1 + (f St V20)) snd (unroll ^02)) 

roll (1 + V21, snd (unroll Va2)) ^ 

roll (I+V21, snd (unroll Va2)) 

roll (I+V2I5 sndv2o) 

roll (1+^21,^^22) 

= Vf2 

where l-i-t'2i is a value denoting the sum of 1 and V21. 

It remains for us to show that (j — i,Vfi,Vf2) € V |flda| p. By the definition of 
V Ifi/S. t| and V |ri x T2}, it suffices to show that, assuming j — i > 0: 

• {j ~ i — 1, -ifii, l+i'2i) S V fa} p, which follows from {j — 1, v\i,V2i) £ V |a] p and 
the definition of R. 

• [j — i — 1, f 12, ^^22) € V [(fida — > fida) X (fida — > bool)| p, which follows from the fact 
above that V12 and ^22 are related for j — 1 steps, which means that they must be 

related for fewer steps. 

(3) Show (fc,bret, iret) € V |flda bool| p. This is similar to the proof of part (2). □ 

6.2. What Have We Achieved? One can see that the above proof requires quite a bit of 
pedantic step manipulation that is entirely unimportant in terms of the overall proof. The 
proof using LSLR allows us to ignore steps and focus on the interesting parts of the proof. 

Perhaps more importantly, the above proof is almost "mindless" in the sense that it 
proceeds by simply unrolling definitions. For instance, step (2) of the proof proceeds to 
prove relatedness of two terms for j steps in £ Ifldal p by symbolically evaluating them to 
values and then showing that the resulting values are related for j — i steps, where i is the 
number of steps it takes to evaluate the first term. This is exactly how one would attempt 
to prove the subgoal if one were just to expand the definition of £ [flda]] p. But as a result, 
one is forced to talk about the particular number of steps the first term takes to evaluate, 
and moreover, the idea of the proof is obscured. 

In contrast, the LSLR proof of this example has a much clearer structure because it is 
constructed using higher-level proof rules. In the aforementioned step (2), the LSLR proof 
does not need to symbolically execute the terms because it is possible to use compatibility 
rules, together with the sym-bind rule, instead. This combination is applicable precisely 
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because the two terms being related have a very similar structure and only differ in one 
place. Thus, the ability to prove the relatedness of the terms using those rules sheds light 
on why they are equivalent. 

That said, the reader may wonder: is the logic LSLR really necessary? Can we take 
the proof rules that we have derived in LSLR and interpret them back into the step-indexed 
model, thus resulting in proof principles for the step-indexed model that do mention steps 
but nonetheless help one to write proofs in a more structured way? We believe that to some 
extent this should be possible. For example, here is a variant of the bind2 rule that holds 
(ignoring syntactic typing side conditions) for Ahmed's model: 

(j, 61,62) eSlrjp 
yi<j. yvi,V2- {i,vi,V2) GVMp^ {i,Ei[vi],E2[v2]) &£lT'jp' 
{j,E,[ei],E2[e2])e£lr'jp' 

This proof principle is almost as clean as the bind2 rule, the only difference being that 
this step-indexed version requires an explicit quantification over future worlds i, whereas in 
LSLR that quantification is baked into the interpretation of the logical judgment. While 
this explicit quantification is annoying, the above rule should still (we believe) be useful in 
improving the structure of "direct" step-indexed proofs. (It is less clear how to interpret 
the symmetric rules from Figure [9] into useful step-indexed rules.) 

Thus, what we view as the major contribution of this work is the development of a set 
of proof principles to enable better structuring of step-indexed proofs. By working at the 
logical level, instead of directly in the step-indexed model, we have been forced to come up 
with clean high-level rules that do not mention steps, but at least some of these rules should 
in retrospect also be useful for improving the structure of direct step-indexed proofs. 

7. Comparison With an Earlier Version of LSLR 

In this section, we explain the four main differences between the present version of LSLR 
and the earlier version that we described in our LICS 2009 paper [I4]. 

Atomic Typing and Value Predicates. In the earlier version of LSLR, we built in the 
atomic predicates of syntactic typing (e : r) and value-hood (Val) as primitive notions in the 
logic, instead of treating them as ordinary atomic relations as we do presently. Specifically, 
we imposed a distinction in the variable context X between value variables x and term 
variables t and required typing annotations on their context bindings. We also required 
relation variables to be bound with explicit relation types TRel(Ti,T2) and VRel(ri,T2) 
(relations were restricted to be binary). In the present version, we also make use of relation 
types, but these are definable in the logic and need not be made primitive. 

There was in retrospect no particularly good reason for giving these predicates special 
treatment, nor for restricting the arity of relations to 2. We feel our present treatment is 
simpler, cleaner, and more general. 

Distinction Between Logic and Model. In the earlier version of LSLR, we made a 
distinction between our main logical judgment, C \- P, defined by a set of core inference 
rules, and its interpretation into the model, which we wrote as C |= P. This enabled a more 
precise characterization of what it means for a rule (like those in Figure [7]) to be "derivable" . 

In the present paper, we conflate h and \=, thus allowing arbitrary new inference rules 
to be added to the logic at a later time as long as they can be proven sound. We have 
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made this change because ultimately it is not clear to us why (or that) the core set of 
inference rules we gave in Figure [5] are the "right" (or "canonical") ones. They are simply 
a set of sound rules that we have found to be useful for doing nearly all of our proofs 
about logical relations in LSLR. However, as in the LICS paper, those core rules are not 
"complete" — occasionally, as in the proof of Adequacy of our logical relation, one needs to 
reason directly in the model. We therefore feel there is no particular need to grant those 
core rules "definitional" status. 

Completeness of the Logical Relation. In the LICS paper, we defined a logical relation 
for F'^ that — like Ahmed's original logical relation for [3] — was sound, but not complete, 
with respect to contextual approximation. (The incompleteness is related to the treatment 
of existential types, cf. Example 7.7.4 in Pitts [26j.) The only substantive difference between 
that logical relation and our present version is in the definition off [[r] p. If (ei, 62) G £" \t\ p, 
then in the case when ei vi, the LICS logical relation would insist that 62 evaluate to 
some value V2 such that (fi, ^2) G V \t\ p- In our present logical relation, we only insist that 
62 he ciu- approximated by such a value V2- This added flexibility is important in proving 
the Ciu- Transitivity property (Theorem I4.24p . which is the key to showing completeness of 
our present version of the logical relation. 

This change to the logical relation has resulted in changes to some of the derivable rules 
in Figures [7] and [9] as well. Rule Ciu, for instance, is more flexible than the corresponding 
Rule 3 in the LICS paper, whereas Rule bind is more restrictive than the corresponding 
Rule 6 in the LICS paper. Practically speaking, though, these differences seem to be very 
minor, and they have not induced any serious changes to our proofs of the examples in 
Section [5l 

Fixing a Technical Flaw. Our present account of LSLR fixes a technical flaw in the 
LICS version, namely that three inference rules in that paper are unsound (and all three for 
similar reasons). Luckily, none of the rules was of critical importance. The common error 
we made in our proofs for all three rules was in forgetting that, when reasoning about the 
> operator, the interesting "base case" is often not world but world 1. 

The first unsound rule is Rule >31 from Figure O in the case where X is of the form 
X : T. (Note: our present version of LSLR does not run afoul of this bug precisely because 
we no longer bake typing or value predicates into the X.) The problem arises when r is an 
uninhabited type, such as Va.o. The i>31 rule says that >3x : t.P implies 3x : t.\>P. In 
order for this to be sound it must at least be the case that ^3x : r.P] 1 implies px : r.oP]] 1. 
However, the former is trivially true, and the latter is false because there is no value of type 
r. The rule is easy to show sound under the side condition that r is inhabited. 

The second and third unsound rules are those numbered Rule 10 and Rule 8 (the 
backwards direction) in the LICS paper, which are as follows: 

C h l>(ei, 62) € £ \T[p,a. r/aJJ p C h (unroll ei, unroll 62) € S lT[fJ-a. r/a]] p 

C h (roll ei, roll 62) G £ {pa. t} p C h (ei, 62) G £ {pa. rj p 

The problem with these rules, again, is that the implications do not hold when the proposi- 
tions are interpreted at world 1. In our buggy proofs of derivability for these rules, the error 
manifested itself as a need to derive 62 J| f 2 in a context where we only knew 0(62 -IJ- ^2)- 
Interestingly, |Ii>(e2 JJ- ^2)! n does imply [[e2 JJ- ^2! n for all n except n = 1. 

Fortunately, the only one of these rules that we actually made any use of was the last 
one. We used it in the proof of the syntactic minimal invariance example, and thus our 
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present proof of that example is somewhat different than the one given in the LICS paper. 
In particular, in proving that example, we now make critical use of the standard Canonical 
Forms property for well-typed values, which we did not in the LICS paper. 

8. Related Work and Conclusion 

As explained in the introduction, LSLR is greatly indebted to (1) Plotkin and Abadi's logic 
for parametricity, and (2) Appel, Mellies, Richards, and Vouillon's "very modal model". 
However, there are also significant differences between our work and theirs. 

Plotkin and Abadi's logic was originally developed for pure System F, as was Abadi, 
Cardelli and Curien's System R [T]. (The latter is less expressive, in that the only relations 
definable in the logic are those that are maps of System F functions.) In recent years, 
several extensions of PAL to richer languages with effects have been proposed. Plotkin [29] 
suggested a variant for a second-order linear type theory with a polymorphic fixed-point 
combinator to combine polymorphism with recursion; it relies on an abstract notion of 
admissible relations (see also jll]). whereas our logic LSLR does not. Bierman, Pitts and 
Russo [9] equipped the language suggested by Plotkin with an operational semantics, result- 
ing in a programming language called Lily. Here instead we consider a standard call-by- value 
language with impredicative polymorphism and recursive types and show how to define a 
logic for reasoning about that language's operational semantics. 

The main difference between our work and AMRV's very modal model is the application: 
whereas AMRV use the later operator >A to reason about type safety (a unary property) in 
a low-level language, we use it to reason about contextual approximation and equivalence 
(binary properties) in a high-level language. Certain issues, such as the development of 
both symmetric and asymmetric reasoning principles, do not arise in the unary setting. 
There are other concerns that do not apply to our setting, such as the desire for non- 
monotone predicates (hence our monotonicity axiom, which simplifies matters). Moreover, 
a significant component of our contribution is the derivation of a set of useful, language- 
specific inference rules and the application of those rules to several representative examples 
from the literature. 

Our application of the LOB rule in connection with a logical-relations method results 
in coinductive-style reasoning principles reminiscent of those used in bisimulation-based 
methods like Sumii and Pierce's [3l], or Lassen and Levy's |20j . Sumii and Pierce give 
several example applications of their method in a language setting very similar to the one 
we consider here. In Section \5\ we already showed how to use LSLR to prove two examples 
adapted from their paper, and our approach is capable of straightforwardly handling the 
other examples that their method can prove as well. 

That said, Sumii and Pierce do present one equivalence, the "IntSet" example at the 
beginning of Section 7 of their paper, which does not seem to be provable directly within 
our logic, although it is provable through a transitive combination of equivalence proofs. 
They use this example to exhibit a limitation of their method with respect to reasoning 
about higher-order functions, and hence to motivate an "up-to-context" extension of their 
bisimulation that alleviates the problem. However, they do not actually offer a proof of the 
IntSet example (using the up-to-context extension or otherwise), and we believe the proof 
to be considerably more involved than for the other up-to-context examples in their paper. 
Ahmed [4] has given a proof of this example using step-indexed logical relations (see her 
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technical report), but her proof is closely tailored to the specific example and seems difficult 
to adapt, e.g., if the ADT in the example is extended with a "remove" operation. 

The IntSet example is challenging because it involves an equivalence between two re- 
cursive functions that are structurally quite dissimilar in their recursive calling patterns, 
and the hard work in the proof involves demonstrating that both functions ultimately call a 
certain (unknown) function on the same multiset of arguments (albeit in a different order). 
The clearest way to establish this fact is using inductive reasoning about computations on 
lists and trees, which can be accomplished using standard proof techniques and is orthogonal 
to the coinductive, relational style of reasoning that LSLR (and in particular the t> opera- 
tor) provides. While for this example the inductive and coinductive bits of the proof can 
be easily combined using a transitive combination of equivalences, it would be interesting 
to explore in future work how to better integrate inductive reasoning into our logic. 

Bisimulations have also been developed for relational reasoning in languages with gen- 
eral references and/or control operators |19 tl32[[3H l33]. We hope that the present work will 
help to illuminate the relationship between step-indexed logical relations and bisimulation 
techniques, perhaps leading to a more unifying account. 

Also related to our use of the LOB rule is the work of Brandt and Henglein [12] , who gave 
a coinductive axiomatization of recursive type equality and subtyping via a coinduction-like 
rule. They also defined the semantic interpretation of their subtyping judgment using a 
stratified, essentially step-indexed, interpretation. 

Finally, besides step-indexed logical relations, a number of other logical relations meth- 
ods have been proposed for languages with parametric polymorphism, recursion, and/or 
recursive types, e.g., [25l [Ml US [22l [THl [13]. One of the most important advances in this 
domain is the idea of TT-closure (aka biorthogonality) . In developing a logical relation 
for a language with impredicative polymorphism, existential types, and general recursion, 
Pitts [25j,26j proposed TT-closure as a useful operational technique for guaranteeing admis- 
sibility of relations (in the denotational sense). In the step- indexed model, the whole issue 
of admissibility is sidestepped. Intuitively, there is no need to worry about a fixed-point 
behaving like the limit of its finite approximations if we restrict attention to how programs 
behave in a finite amount of time (as the step-indexed model does). 

For non-step-indexed logical relations it is well-known that TT-closure also has the 
pleasing side effect of rendering the relations complete w.r.t. contextual equivalence. This 
is also the case for step-indexed logical relations, as shown in recent work of Dreyer et al. [15j . 
We have presented in this paper an alternative technique for ensuring completeness, namely 
closure w.r.t. ciu-approximation (in the definition of £'[[r]]p). We believe our approach 
is simpler and more direct than TT-closure, but neither approach subsumes the either. 
On the one hand, TT-closure is applicable in more general settings, such as lower-level 
languages [H [17] or languages with control operators [15] . where the behavior of a term 
depends on its evaluation context. On the other hand, this added generality means that a 
TT-closed relation is incapable of validating some of the inference rules that hold in our 
more restricted setting. For example, the SYM-BIND rule (Figure [9]) would not hold in a TT- 
closed model unless we were to remove the assumptions in the last premise connecting the 
Xj's and the Cj's, thus weakening the rule somewhat. We do believe, however, that it should 
be possible to formalize a variant of our LSLR logical relation that uses TT-closure instead 
of ciu-closure. Understanding the tradeoffs between the two closure techniques remains an 
interesting problem for future work. 
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Non-step-indexed logical relations for languages with recursive types are notoriously 
tricky to construct; the construction of such relations relies on the use of syntactic minimal 
invariance, mimicking the construction used in domain theory [27 \ \10 \ IT3]. An advantage 
of this more elaborate construction over step-indexed logical relations is that the resulting 
proof method is more abstract and does not involve steps. In this paper, we have shown 
how to devise a more abstract proof method for step-indexed logical relations. Our resulting 
proof method is at roughly the same level of abstraction as that of non-step-indexed logical 
relations. This point was illustrated explicitly with the various examples in Section [5j 
For yet another example, just involving recursive types, the reader might want to consider 
Birkedal and Harper's example of stream operations [10]. Their proof uses a coinduction 
proof principle that is derived as a corollary of the elaborate construction of the logical 
relation. This example can also be proved in LSLR in a very similar manner, except that 
we use a combination of the lob and sym-exp-o rules instead of actual coinduction. 

We do not claim that the method presented in this paper is per se more powerful 
than prior approaches. Rather, our goal is to show how to reason about step-indexed 
logical relations in a more abstract way, because step-indexed relations have proven more 
easily adaptable than other logical-relations methods to languages with effects (particularly 
state) [31 El E^. We believe that the work presented here makes an important first step 
toward logical step-indexed logical relations for effectful programs. Indeed, since publication 
of our original LICS paper |14j . a promising variant /extension of LSLR (called LADR) has 
been developed [16], which enables abstract relational reasoning about a step-indexed model 
of F^' (an extension of with general references). 
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Appendix A. Additional Details of F'' 



Typing Contexts T ::= 



T,a\T,x:T 



r h e : r 



r(a;) = T 
r\-x:T 



r h : unit 



The: bool 



r h ±n : int 

r h M : r 



r h e.2 : T 



r h true : bool 

r h ei : n 



r I- (61,62) : n X T2 

r h 6 : n 



r h false : bool F h if 6 then 61 else 62 : r 

rh 62 : r2 r h 6 : Ti X T2 r I- 6 : Ti X r2 

r h f St 6 : Ti r h snd6 : T2 

r h e : r2 



r h inli-j+T-2 e: T1+T2 Fh inr^^+^j 6 : n + r2 

r h 6 : Ti + r2 r, Xi : Ti h ei : T T, X2 : T2 h 62 : r 



r h case 6 of inl xi^ei I inr X2 62 : r 



r, a; : Ti h 6 : T2 

r h Ax : Tl . 6 : Tl ^ T2 

T,a 'r e : T 
r h Aa. 6 : Va. r 

FV(ri) C r The: T[n/a] 
T h packn, 6 as 3a. r : 3a. r 



r h 61 : T2 



r h 62 : r2 



r h 61 62 : T 

ri-6:Va.T FV(ri)cr 
r h 6T1 : t[t-i_/q\ 

r h 61 : 3a. n FV(r) C T T, a, a; : n h 62 : r 



r h 6 : T[/ia. r/a] FV(/ia. r) C r 

r h roll(na. r 6 : /Ua. T 



r h unpack 61 as a, a; in 62 : r 

F h 6 : |Ua. T 
r h unroll 6 : rf/^a. r/a] 



Figure 10: Static Semantics 
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Contexts C ::= [•] | o(ei, . . . . ei_i, C, ei+i, . . . . e,,) | 

if C then ci else ^2 | if e then C else 62 | if e then ei else C | 

(C,e2) I {ei,C) I fstC I sndC | 

inl,- C I inri- C \ case C of inl xi ei | inr 0:2 62 | 

case e of inl x\^C\ inr X2 =^ 62 | case e of inl x\^e\ | inr X2^C 

\x:t.C \Ce\eC \ Aa.C \Ct\ 

packTi, C as 3q;. T | unpack C as a, a; in 62 | unpackei asQ;,x inC | 
roll^ C I unroll C I 



h C : (r h r) (r' h r') 



r C r' h C : (r h r) (r' h bool) r' h ei : r' r' h 62 : r' 



h [•] : (r h t) (r' h r) h if C then 61 else 62 : (F h t) (F' h r') 

r' h 6 : bool h C : (r h r) (r' h r') T' h 62 : r' 
I- if 6 then C else 62 : (r h t) (F' h r') 

r' h 6 : bool r' h 61 : r' h C : (F h t) (F' h r') 
I- if 6 then 61 elseC : (F h r) (F' h r') 

h C : (F h r) (F' h n) F' h 62 : r2 F' h ei : n h C : (F h r) (F' h T2) 

h(C,62):(rhT)^(r'hTiXr2) h(6i,C):(rhT)^(F'hTiXr2) 

h C : (F h r) (F' h n X r2) h C : (F h r) (F' h n x r2) 

l-fstC:(FI-T)->(F'l-Ti) hsndC:(FhT)-w(F'l-T2) 

h C : (F h r) (F' h n) h C : (F h t) (F' h T2) 

h inl,,+,, (7 : (F h r) ^ (F' h n + T2) h inr,,+,, C : (F h r) ^ (F' h n + T2) 

h C : (F h r) -w (F' h Ti + r2) F'.xi : n h 61 : r' F',a;2 : T2 h 62 : r' 
h case C of inl xi 61 | inr a;2 62 : (F h r) ~^ (F' h r') 

F^ h 6 : n + T2 h C : (F h t) ^ (F^ xi : n K tQ F^ : T2 h 62 : 
h case e of inl xi C | inr a;2 => 62 : (F h r) ^ (F' h r') 

F' h 6 : n + T2 r', XI : Ti h 61 : r' h C : (F h r) (F', X2 : T2 h r') 
h case6of inlxi^6i | inrx2^C : (F h t) (F' h r') 

h C : (F h t) (F', X : n h r2) h C : (F h t) (F' h T2 ^ r') F' h 62 : T2 



h Ax:ti.C : (F h r) (F' h n r2) h C62 : (F I- r) (F' h r') 

F' h 61 : T2 ^ r' h C : (F h r) (F' h r2) 
h 61 C : (F h r) (F' h r') 



Figure 11: Program Contexts: Syntax and Static Semantics I 
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h C : (r h r) (r' h r') (contd. from Figure HH) 



C : (r h t) (r', a h r') h C : (F h r) (F' h Va. r') FV(ri) C F' 



h Aa.C : (F h r) (F' h Va.r') h C n : (F h r) (F' h r'[ri/a]) 

FV(ti)CF' hC:(FhT)->(F'hT'[Ti/a]) 
h packri, C as 3a. r' : (F h t) (F' h 3a. r') 

h C : (F h r) (F' h 3a. n) FV(r') C F' F', a, x : n h ea : r' 
h unpack C as a, a; in 62 : (F h t) ^ (F' h r') 

F'hei:3a.Ti FV(r') C F' h C : (F h r) (F', a, a; : n h t') 
h unpack ei as a, cc in C ; (F h r) (F' h r') 

h C : (F h r) (F' h r'[^a. r'/a]) FV(Afa. r') C F' h C : (F h t) (F' h /xa. r') 



h roll^a. C : (F h r) (F' h fia. t') h unroll C : (F h r) (F' h /[/za. r'/a]) 

Figure 12: Program Contexts: Static Semantics II 



Appendix B. Remaining Inference Rules for LSLR 

Here, we present the LSLR judgments of relation and substitution well-formedness, as well 
as additional inference rules that are entirely standard. Prop is synonymous with Rel(O). 



X-W^R:: Rel(n) 



arity(r) — n 



FV(ei,e2) C X 



FV(e,T) C X 



A';7^l- r :: Rel(n) A"; 7^ h d = 62 :: Prop A"; 7e h Val :: Rel(l) A"; 7^ h e : r :: Prop 

FV(C, r, r') C X FV(ei, 62) C X FV(ei, 62) C X 



X;n^C -.t-^t' ::Prop 



X;TZhei 62 :: Prop A"; 7e h ei ^ 62 :: Prop 

A';7^(- P :: Prop A:"; 7^ h Q :: Prop 



A;7eh T :: Prop 
A';7^ h P :: Prop 



X;TZh ±:: Prop 
A:';7eh :: Prop 



X;nh P\/ Q :: Prop 
A", A";7^ h P :: Prop A; 7e' h P :: Prop 



A';7eh PAQ :: Prop 

A';7^ h P :: Prop A;7^hQ::P^op 
Ay^~KPTQ7Pro^^ 

A,A';7^K P :: Prop A"; 7^, 7e' h P :: Prop 



A';7e h VA''.P :: Prop A"; 7^ h V7^'.P :: Prop A"; 7^ h 3A".P :: Prop A; 7^ h 37^'.P :: Prop 



A',x;7^ h P :: Prop 



a; = xi, 



FV(e) C X 



61 , . . . , 67^ 



A;7^ h P :: Rel(n) 



A;7^ h x.P :: Rel(n) 



X;TZheeR:: Prop 



A; 7^, r h P :: Rel(n) arity(r) = n R contractive in r A; 7?. h P :: Prop 

A^^rrilI^^^RTRel(n) A"; 7e h >P :: Prop 
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doin(7) =X' Va G A". FV(7a) C A" Vx G A". FV(7a;) C X 

A' h 7 :: A" 

dom((p) = Vr G 7^'. arity(r) = n ^ A"; 7e h (/Jr :: Rel(n) 



C h P 



C,C' h P C,Ph P C h T C h P CV-P hQ 



C^PKQ Ch PAQ 



Ch P 



P 



ChPyQ c^pyQ 

C,P^Q 
ChP^Q 



C\-PVQ C,PhC C,Q\-C 
ChC 

ChP^Q C\-P 
C\-Q 



C,X'\-P C\-yX'.P C^-yy.X' C,1Z' \- P C^Vn'.P C\-ip::n' 



c h yx'.p c\-jP 

Ch^y.X' ChjP 
C h 3X'.P 

c^if-.-.n' c^ipP 

C h BTZ'.P 



c h yn'.p ChifP 

C\-3X'.P C,X',PhQ 

cTq 

ch37^'.p c,n',PhQ 
cTq 
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